Thursday, November 10, 2011

User Lockout feature in Weblogic Server

Hi,

Problem:

In real life projects generally we use LDAP server possibly Microsoft Active Directory (AD) to authenticate and authorize Users security.

One common security policy is to lock the user account after few invalid attempts for some period of time. As a end user and system administrators you think that this is responsibility of  LDAP authentication provider which makes sense.

One should be aware of that in addition to LDAP authentication provider weblogic server also has a user lockout feature which actually locks the user at weblogic level as well when end user tries 5 invalid login attempts  for 30 minutes this is the default behavior.

Example:



  • We have default weblogic User lock settings enabled


  • User zbaig tries 5 invalid login attempts and got "Invalid username or password" message in the application



Solution 1 Unlock the user in Weblogic Server:

  • To allow zbaig to login again we need to either wait 30 minutes or unlock the user (default behavior or you can change the settings as per your requirement)
  • To unlock user from weblogic server 
  • Click on your domain name on the left pane in domain structure
  • Go to security tab then unlock user tab 
  • Enter username you want to unlock and press save

  • Try again with user zbaig you will see the welcome page of the application

Solution 2 Disable weblogic locking feature:


  • To allow Active directory to control user account lock and unlock you can disable this feature as shown in the following slide
  • Remove Locked Enabled check box and restart all managed servers including AdminServer


Final thoughts:
Personally i would go for solution 2 for ease of administration in large numbers of users this solution also helps if you have other single sign on solutions for many domains like Oracle access manager OAM.

If you are using embedded LDAP server of weblogic then solution 1 is your only choice :)

Have a nice day,
Zeeshan Baig








Posted by Zee at 4:01:00 PM
Labels: , ,

9 comments:

  1. asgharsNovember 17, 2011 at 10:24 PM

    Very nice blog, thanks for sharing your knowledge.

    ReplyDelete
  2. MickFebruary 12, 2012 at 9:14 PM

    Hi Muhammad,

    can you get the LDAP server to send the user an email informing them what to do if they get locked out ?

    Mick

    ReplyDelete
  3. ZeeFebruary 16, 2012 at 11:06 AM

    Hi Mick,

    I don't think WLS provides any automated solution for this. You can probably use custom identity asserter to verify user status but this is just a blind saying. May be Oracle access manager has something.

    If you know anything let me know as well.

    ZB

    ReplyDelete
  4. TokandoMarch 29, 2012 at 7:28 PM

    very good post ...

    ReplyDelete
  5. UnknownFebruary 22, 2016 at 12:40 AM

    Thank you very much. Then how can I catch the exception of locked account? I mean how to tell user that he is locked and should wait for few minutes?

    ReplyDelete
    Replies
    1. ZeeFebruary 22, 2016 at 10:47 AM

      Hi,

      Check the link it might be helpful http://weblogic-wonders.com/weblogic/2010/11/12/userlockout-feature-of-weblogic-server/

      Zeeshan

      Delete
  6. UnknownMay 23, 2016 at 9:31 AM

    Is there a way to programmatically unlock the user?

    ReplyDelete
    Replies
    1. ZeeMay 23, 2016 at 9:34 AM

      Hi,

      Yes you can using Java APIs for WebLogic server check this https://docs.oracle.com/middleware/1212/wls/WLAPI/toc.htm

      Regards,
      Zeeshan Baig

      Delete
    2. UnknownMay 23, 2016 at 9:48 AM

      Great to know! Thank you very much Zeeshan!

      Delete

Subscribe to: Post Comments (Atom)