Skip to content

[WFCORE-7192] Add brute force mitigation to the Elytron security realms. #721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
darranl wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[WFCORE-7192] Add brute force mitigation to the Elytron security realms. #721

darranl wants to merge 2 commits into from

Conversation

@darranl
Copy link
Contributor

@darranl darranl commented Apr 30, 2025

@github-actions github-actions bot added the stability-level/default "Default" stability-level label Apr 30, 2025
OndrejKotek
OndrejKotek reviewed May 19, 2025
View reviewed changes
elytron/WFCORE-7192-brute-force-mitigation.adoc
* HTTP Programmatic

The wrapper will be applied automatically by the `elytron` subsystem, it will be possible to override the
default behaviour by setting the following realm specific system properties:
Copy link

@OndrejKotek OndrejKotek May 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be useful to have also global settings for all security realms to be configurable at once? (E.g. just by omitting [REALM NAME].)

Copy link
Contributor Author

@darranl darranl Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@OndrejKotek I have been thinking about this and IMO we should not add a global option.

The system property approach we are taking here is a short term configuration option until we are ready to add management attributes to configure this - once we add those attributes they will be on a realm by realm basis so we will not have a global equivalent.

We could consider a global management option but we don't really do that for other resources so I think I would prefer to keep per realm unless we receive end user requests for a global config option.

OndrejKotek
OndrejKotek reviewed Nov 27, 2025
View reviewed changes
elytron/WFCORE-7192-brute-force-mitigation.adoc
a defined period of time after a defined number of failed authentication attempts. The failed authentication
attempts will be tracked in an in-memory cache.

The utility will be enabled by default for the following security realms:
Copy link

@OndrejKotek OndrejKotek Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How are we going to handle realms referencing these basic security realm? (For example failover-realm, distributed-realm, aggregate-realm.) Will it be possible to apply the configuration properties also to those? If so, which configuration would have precedence? Or will those security realms rather only let the protection on the wrapped realms?

Copy link
Contributor Author

@darranl darranl Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am adding a clarification to the analysis but IMO we should not apply it to these realms so we don't need to worry about precendence and instead will apply it just to the realm that actually handles the raw identities.

@github-actions github-actions bot added stability-level/default "Default" stability-level and removed stability-level/default "Default" stability-level labels Jan 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@OndrejKotek OndrejKotek OndrejKotek left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

stability-level/default "Default" stability-level

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@darranl @OndrejKotek