We have implemented the Oracle EBS Software Development Kit AppsDataSource and JAAS modules. These work great; however I do have a question regarding User Lockout (after X attempts).
The default settings are all in place re User Lockout (5 attempts, lockout for 30 minutes), however, the users are still able to login to the Application, even after maxing out the attempts! If we have a WL User, these get locked out for the 30 minutes without issue, it is the Oracle ENS (Application / FND) users that are still able to access. This is concerning as I would not want to go live with a situation where a users password could be bruit forced.
Is there anyway within WebLogic that I can 'hook' into the User Lockout mechanism to run some code to expire the FND_USER (EBS) accounts?
I have built a rudimentary workaround in the Login Bean of our application, however, I really feel that WebLogic should be managing this and not the application.
Hope the requirement makes sense!
is the Oracle EBS Software Development Kit AppsDataSource and JAAS modules integrated with Weblogic Server's?
If not, then you will have to write customer authentication providers/ authorizers to do the same. Only then I belive WLS will consider users from these providers for lockout.
Thanks for the reply!
Yes the AppsDataSource and JAAS Modules are integrated into WL as part of the Security Realms Authentication mechanism.
What appears to be happening at the moment, is that the users are 'blocked' for the specified amount of time (under the User Lockout tab) which is okay, but not really what the client is after...
The only other thing I was looking at was a custom User Lockout manager bean, however, time and lack of documentation has prevented me from pursuing further at the moment.
I would have thought though that this would be a key 'Production State' requirement for the Oracle SDK JAAS Module (unless they are leaning on the 30 minute lockout within WebLogic).