Deactivating user after n incorrect login attempts

We are currently working on a new implementation for the BruteForceUserCredentialsChecker based on another thread we read on the forum.
We added a new configuration such that the user can be blocked “permanently” (or would need a recovery by the administrator) or using the regular brute force protection method (an interval of time).
For the first option, we created a new userBlockingBean with a method “blockUser” which is defined as follows:

    public void blockUser(AbstractClientCredentials clientCredentials) {
        EntityManager em = persistence.getEntityManager();
        Query query = em.createQuery("select e from sec$User e where e.login = :login").setParameter("login", clientCredentials.getUserIdentifier());
        User user = (User) query.getFirstResult();

The merge does not seem to be working. We believe this happens because this method is executed prior to authentication, therefore we cannot rely on having a valid transactional context. Is there any way we can set the user as inactive on the database prior to the login?

Thanks beforehand,


Take a loot at System Authentication. It should help to resolve your task.