8 Replies Latest reply on Apr 15, 2013 8:44 PM by SarahInVancouver

    How to trace invalid login attempts

      I have a requirement specified that I need to display a message after 3 times unsuccessful login. The unsuccessful login could be wrong username or wrong password.

      I am using Oracle JDeveloper with integrated Weblogic 10.3.5. I am using WebLogic SQL authentication provider.

      Is there any API I can use in my LoginBean to trace times of the invalid login attempts?

      I have thought about using session attribute to trace the invalid login attempts, but then I realized I need to trace the invalid login attempts from WebLogic side, as the user may close browser and try login again.

      Please advise, and thanks in advance.
        • 1. Re: How to trace invalid login attempts
          Are weblogic server logs not writting the invalid logins? I think there would be enteries in the server logs , you may need to enable following debug

          go to server-->server name-->Debug-->expand weblogic-->expand security--> Enable SecurityAtn

          This should print the information of invalid logins. ( Make sure your logging level is set to DEBUG)

          • 2. Re: How to trace invalid login attempts
            Thanks for your suggestions, but I need to retrieve the times of invalid login attempts in my Java code, not from the server log.
            As per the requirement, if there are 3 times of invalid login, no matter it is invalid username of invalid password, I need to display a message "Please contact system administrator" on UI.

            If my understanding is correct, WebLogic's user lockout is only for the invalid password for a specific user. My requirement only counts the total of invalid attempts, it could be invalid username, not just invalid password. If the invalid attempts total count reaches 3, I need to display a message.

            Any suggestion on how to make it? Thanks.
            • 3. Re: How to trace invalid login attempts
              You would have to make use of JMX coding.

              Use following Mbean to get the invalid login attempt of particular user:



              Hope this helps.

              • 4. Re: How to trace invalid login attempts
                Thank you Kirandeep. That is helpful, if the invalid login is for a particular user.

                My question is, if the user tries invalid password for different user account, can we check how many times the invalid login attempt is?

                getLoginFailureCount() is a method for a particular user account. If user has tried different user account to login, is there a way to check the total of invalid login attempts?

                I see there is another method getInvalidLoginAttemptsTotalCount(), it seems this method returns the number of invalid logins attempted since this server has been started and lockouts have been enabled. So this is the invalid login attempts total. My example is, suppose John and me are working on our development build at the same time, if I have 3 times of invalid login on my PC, and John has 3 times invalid login on his PC, this method would return 6, right? As we share the same dev environment WebLogic server. I have not used this method getInvalidLoginAttemptsTotalCount() before, not sure if my guess is right.

                Please advise, and thank you for your time.

                • 5. Re: How to trace invalid login attempts
                  Hi Sarah,

                  Your understading regards to getInvalidLoginAttemptsTotalCount(), is correct.

                  I am not sure what is the exact requirment ,as per my understading you want to print a message if a user tries invalid login for 3 times. ( correct me if I am wrong )

                  You can take it this way, in UserLockoutManagerMBean, there is a threashold after which the particulr user is locked, by default is set to 5. (getLockoutThreshold) , if you set it to 2 , user will be locked on third consecutive login.This can easly be set on WLS console.

                  So you can check if user is locked or not and print the message :)

                  • 6. Re: How to trace invalid login attempts
                    Let's say I am going to log into the system, and I assume the user account lockout is configured as 3 times in my WebLogic.

                    First time, I try userAccount1/invalidPSD1, second time, I try userAccount1/invalidPSD2, third time, I change to userAccount2/invalidPSD3. In this case, I would not trigger the user account lockout, as I try 2 times for userAccount1 and 1 time for userAccount2. But as per the requirement, I need to print out the message 'Please contact system administrator', because I already tried 3 times unsuccessful login.

                    Hopefully this example clarify my question.

                    Again, thank you for looking at my issue.
                    • 7. Re: How to trace invalid login attempts
                      In this case you can make use of getInvalidLoginAttemptsTotalCount(), get the value and if its more than 3 times then you can print the message.

                      • 8. Re: How to trace invalid login attempts
                        I don't think getInvalidLoginAttemptsTotalCount() would work for me.

                        Think about the following scenario:
                        Assume the user lockout is set to 3 times. Assume 2 developers are working on the same build on dev environment. On the backend, they connect to the same WebLogic server. John is trying userAccount1/invalidPassword1, userAccount2/invalidPassword2, and Sarah is trying userAccount3/invalidPassword3, userAccount4/invalidPassword4.

                        If I call getInvalidLoginAttemptsTotalCount(), it would return 4 and print out the message, as there are 4 invalid login attempts in total.
                        But actually both John and Sarah should not see this message, as they only tried 2 times on their PC.

                        Kirandeep, thanks for your help anyways.