How configure threashold for Apache Shiro Excessive Failed Login Attempts?

Question

Apache Shiro documentation implies some desired capabilities for trapping successive failed login attempts (among others) however, I cannot find concrete documentation for this. Presently I can execute currentUser.login(token); with invalid pw infinite times and does not trap and throw this error. I am struggling to find where this is implemented in source.

Is this actually working? Is the threshold configured in shiro.ini? Can anyone point me to the documentation for this (or confirm that it doesn't exist)?

Thanks

Environment Details: Shiro core 1.2.1 and jdbc realm

Begin Documentation Step 3: Handling Success or Failure If the login method returns quietly, that's it - we're done! The Subject has been authenticated. The application thread can continue uninterrupted and all further calls to SecurityUtils.getSubject() will return the authenticated Subject instance, and any calls to subject.isAuthenticated() will return true.

But what happens if the login attempt failed? For example, what if the end-user supplied an incorrect password, or accessed the system too many times and maybe their account is locked?

Shiro has a rich runtime AuthenticationException hierarchy that can indicate exactly why the attempt failed. You can wrap login in a try/catch block and catch any exception you wish and react to them accordingly. For example:

try {
    currentUser.login(token);
} catch ( UnknownAccountException uae ) { ...
} catch ( IncorrectCredentialsException ice ) { ...
} catch ( LockedAccountException lae ) { ...
} catch ( **ExcessiveAttemptsException** eae ) { ...
} ... catch your own ...
} catch ( AuthenticationException ae ) {
    //unexpected error?
}

//No problems, continue on as expected...

If one of the existing exception classes do not meet your needs, custom AuthenticationExceptions can be created to represent specific failure scenarios //No problems, continue on as expected... End Documentaion

Answer 1

If you had simply googled for ExcessiveAttemptsException, in the second link you would have found the answer from Les Hazlewood, the author of shiro:

Anyway, that exception exists but it is not thrown/managed at any point by Shiro. It is there for your use as a convenience so you don't have to create your own Exception class if you don't want to. You would need to instantiate and throw it in your Realm's doGetAuthenticationInfo method when appropriate. The reason Shiro can't do this automatically is that this type of logic (lock account after a certain number of times in a certain number of minutes) is usually entirely dependent upon your application's User data model.