Hello,
We'd like to expose our portal to the internet. This means everyone will be able to logon to the portal (after creating an UME user account). UME is configured to lock user accounts after 3 invalid login attempts.
Now how can we prevent anonymous internet users to lock the Administrator account or other system accounts like ADSUser?
The first option would be to implement this on the revert proxy, e.g. block requests containing j_user=Administrator either in the URL during a GET request or in the body during a POST request.
However, because of performance reasons, especially because of the need to scan all POST requests, this option doesn't look very attractive.
A second option would be to deploy a new JAAS LoginModule, configured to be always executed as the first one, that checks the username first and halts the login process if the username is Administrator and the request is coming from a certain IP (the reversed proxy), e.g. by throwing a RuntimeException in the login method (will that work? any other possibility besides throwing a RuntimeException?).
This doesn't look as very clean solution either.
What would be the best (safe, clean, easy) way to stop anonymous users from locking the Administrator user account?
Thanks!
Sigiswald