In general, password guessing raises serious attack to our application server. Weblogic provides the way to stop guessing the password by locking the particular user, if the number of invalid consecutive password attempt made more than configured.
Banking service applications very much needs this user locking mechanism. If customer found that their account is locked then they have to request the Bank to unlock the account by submitting application or sending email from trusted account. Alternate way would be, unlock automatically after some time, may be a day or two.
- Lockout Threshold
- specifies number of maximum invalid password attempt possible to make in consecutive attempts.
- Lockout Duration
- specifies number of minutes to wait for auto unlock once the account locked.
- Lockout Reset Duration
- lock account only Lockout Threshold reached within this specified minutes. For example, user may be tried to log in yesterday with invalid password. If he tries to login today, then he can attempt to login Lockout Threshold time consecutively with invalid password. If we wants to count the first attempt of yesterday's one, then we have to set minutes value to cover 48 hrs.
- Login weblogic console
- Select Security Realms in Domain Structure panel
- In Summary of Security Realms, configured realms will be listed and any of select realms,we go with default myrealm
- Select User Lockout tab, where we could see the user lock out properties.