Hi!
We are currently working on a new implementation for the BruteForceUserCredentialsChecker based on another thread we read on the forum.
We added a new configuration such that the user can be blocked “permanently” (or would need a recovery by the administrator) or using the regular brute force protection method (an interval of time).
For the first option, we created a new userBlockingBean with a method “blockUser” which is defined as follows:
@Transactional
public void blockUser(AbstractClientCredentials clientCredentials) {
EntityManager em = persistence.getEntityManager();
Query query = em.createQuery("select e from sec$User e where e.login = :login").setParameter("login", clientCredentials.getUserIdentifier());
User user = (User) query.getFirstResult();
user.setActive(false);
em.merge(user);
}
The merge does not seem to be working. We believe this happens because this method is executed prior to authentication, therefore we cannot rely on having a valid transactional context. Is there any way we can set the user as inactive on the database prior to the login?
Thanks beforehand,
T.