← Index · ← File index · ← Prev · Next → · 📄 source

#1022: LoginProtection.kt

projectforge-business/src/main/kotlin/org/projectforge/business/login/LoginProtection.kt Brute-Force Protection (Singleton), projectforge-business/src/main/kotlin/org/projectforge/business/login/LoginProtection.kt 217 lines · 103 code · 103 comments · 11 blank
Singleton implementing escalating time penalties for failed login attempts, preventing brute-force attacks. Tracks failures separately by user ID (string-based) and client IP address, with configurable thresholds before penalty increments.

Architecture

Dual-Map Penalty System

Maintains two instance of LoginProtectionMap: one keyed by user string (username or authType:username), one by IP address. On each failed login, the corresponding maps are incremented. The larger penalty offset between user and IP is returned.

Authentication Type Separation

Penalties are separated by authentication type (DAV, REST_CLIENT, or null for normal login) using the convention "authenticationType:userId". This prevents failed DAV login attempts from blocking the user's web login.

Thresholds

Singleton Access

Accessed via static LoginProtection.instance(). The private constructor configures the two protection maps with different thresholds.

Git History

868d6abb7 2025 -> 2026
63081666f Source file headers: 2024-> 2025.
cc10c2553 Minor improvement LoginProtection.
4c04cfd65 MAJOR-CHANGE! Migration of integer id's to Long id's (including fk's etc.)
b6092df09 Copyright 2023 -> 2024
ab45d51fa Copyright 2001-2022 -> 2001-2023.
5f7ef41b8 Copyright 2021 -> 2022
ceb63e8a1 Source code header: (C) 2001-2021.
09f6c19dd LoginProtect, Filter etc.: log.debug added.
f6e1ee41e Nothing (java doc).
2ca451654 LoginProtection: bug fix for userStrings without userId/username.
37a2a01cb WIP: LoginProtection, rest authentication...