[Zope] Handling login failures

[Tino Wildenhain]

Håkan Johansson schrieb:
> Hi everyone.
> 
> I want to be able to block a user from logging in if he fails to give 
> the right login/password three times in a row. The problem is that I 
> don't know how to do this.

Because it isnt really possible/practicable at all with HTTP.

> First, I need to know if an attempt failed. This, I have no idea how to do.
> 
> Second, I need to block the user without deleting him. One problem here 
> is that the user can write different login names for the different login 
> attempts. We have been thinking about blocking the offender's IP for 30 
> minutes or so and leave it at that. It seems to me that 
> SiteAccess.AccessRule could be used for that, but I haven't looked much 
> into it yet. The documentation is extremely light.

And if the offender uses a proxy where your true user is also coming from?
> 
> I have a very clean Zope 2.8.4 installation on a SuSE linux machine.
> Logins are handled in the standard Zope way, nothing special added.
> The Zope is running as a stand alone server, i.e. no Apache at all.
> 
> Another thing: How do I get Zope to log failed authentication attempts? 
> Neither event.log or Z2.log shows anything. As Z2.log is the access log, 
> I would have guessed that such things should be logged there. If not, 
> where and how?

You could "log" the Unauthorized - but this does not really help.
You better use one of the pluggable auth folders (PAS, ExuserFolder etc.)
and bend them to your needs - maybe with a small memory pool for the
counter/queue of failed login attempts.