Implemented in 4.4
Official Documentation Available
This topic is now covered in Automatic lockout.
- Make account unaccessible after number of failed login attempts
- Let admin set number of max attempts (default 5?)
a) Modify User interface and JCRAuthenticationModule
- after each failed attempt increase int number
- save this value as node data
- if reaches max value then lock
- after success login null value
b) Implement in login filter
- check user from http request and login result status
- check for user "repetition"
Hard lock - use existing method to disable account until is enabled again by admin.
Time lock - implement lock based on time period before account is enabled again with possibility to null this and make account accessible immediately (in edit user dialog probably)