Security Realm-->UserLockout

Security Realm-->UserLockout

Tasks Related Topics Attributes

Overview

WebLogic Server provides a set of attributes to protect user accounts from intruders. By default, these attributes are set for maximum protection. As a system administrator, you have the option of turning off all the attributes, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Use this page to change these attributes. Remember that changing the attributes on this page lessens security and leaves user accounts vulnerable to security attacks.
If a user lockout security event occurs on one node of a cluster, the other nodes in the cluster are notified of the event and the user account is locked on all nodes in the cluster. This features prevents a hacker from systematically breaking into all the nodes in a cluster. Note that the User Lockout attributes apply to the security realm and all its security providers. If you are using an Authentication provider that has its own mechanism for protecting user accounts, disable the Lockout Enabled attribute.
If a user account becomes locked and you delete the user account and add another user account with the same name and password, the UserLockout attribute will not be reset.

Tasks

Protecting User Accounts

Related Topics

Introduction to WebLogic Security
Managing WebLogic Security
Securing WebLogic Resources
Programmimg WebLogic Security
Developing Security Providers for WebLogic Server
Securing a Production Environment
The Security topics in the WebLogic Server 8.1 Upgrade Guide
Security FAQ
The Security page in the WebLogic Server documentation

Attributes

Attribute Label

Description

Value Constraints
Lockout Enabled Requests the locking of a user account after invalid attempts to log in to that account exceed the specified Lockout Threshold. By default, this attribute is enabled.MBean: weblogic.management.
security.RealmMBeanAttribute: LockoutEnabled

Lockout Threshold Number of failed user password entries that can be tried before that user account is locked. Any subsequent attempts to access the account (even if the username/password combination is correct) raise a Security exception; the account remains locked until it is explicitly unlocked by the system administrator or another login attempt is made after the lockout duration period ends. Invalid login attempts must be made within a span defined by the Lockout Reset Duration attribute. The default is 5.MBean: weblogic.management.
security.RealmMBeanAttribute: LockoutThreshold

Lockout Duration Number of minutes that a user's account remains inaccessible after being locked in response to several invalid login attempts within the amount of time specified by the Lockout Reset Duration attribute. The default is 30 minutes.MBean: weblogic.management.
security.RealmMBeanAttribute: LockoutDuration Units: minutes
Lockout Reset Duration Number of minutes within which invalid login attempts must occur in order for the user's account to be locked.An account is locked if the number of invalid login attempts defined in the Lockout Threshold attribute happens within the amount of time defined by this attribute. For example, if the value in Lockout Reset Duration attribute is 5 minutes, the Lockout Threshold is 3, and 3 invalid login attempts are made within a 6 minute interval, then the account is not locked. If 3 invalid login attempts are made within a 5 minute period, however, then the account is locked.The default is 5 minutes.MBean: weblogic.management.
security.RealmMBeanAttribute: LockoutResetDuration Units: minutes
Lockout Cache Size Specifies the intended cache size of unused and invalid login attempts. The default is 5.MBean: weblogic.management.
security.RealmMBeanAttribute: LockoutCacheSize

Lockout GCThreshold The maximum number of invalid login records that the server keeps in memory. If the number of invalid login records is equal to or greater than the value of this attribute, the server's garbage collection purges the records that have expired. A record expires when the user associated with the record have been locked out. The default is 400 recordsMBean: weblogic.management.
security.RealmMBeanAttribute: LockoutGCThreshold

Invalid Login Attempts Total Count The total number of invalid logins attempted since the server has been started and since lockouts have been enabled.MBean: weblogic.management.
security.RealmMBeanAttribute: InvalidLoginAttemptsTotalCount

User Lockout Total Count The total number of user lockouts that have occurred since the server has been started.MBean: weblogic.management.
security.RealmMBeanAttribute: UserLockoutTotalCount

Login Attempts While Locked Total Count The total number of invalid logins attempted since the server has been started and since lockouts have been enabled.MBean: weblogic.management.
security.RealmMBeanAttribute: LoginAttemptsWhileLockedTotalCount

Invalid Login Users High Count The highest number of users with concurrent unexpired or uncleared invalid login attempts.MBean: weblogic.management.
security.RealmMBeanAttribute: InvalidLoginUsersHighCount

Locked Users Current Count The number of users that are currently locked out of the server.MBean: weblogic.management.
security.RealmMBeanAttribute: LockedUsersCurrentCount

Unlocked Users Total Count The total number of times users have been unlocked since the server has been started.MBean: weblogic.management.
security.RealmMBeanAttribute: UnlockedUsersTotalCount

Attribute Label	Description	Value Constraints
Lockout Enabled	Requests the locking of a user account after invalid attempts to log in to that account exceed the specified Lockout Threshold. By default, this attribute is enabled.MBean: weblogic.management. security.RealmMBeanAttribute: LockoutEnabled
Lockout Threshold	Number of failed user password entries that can be tried before that user account is locked. Any subsequent attempts to access the account (even if the username/password combination is correct) raise a Security exception; the account remains locked until it is explicitly unlocked by the system administrator or another login attempt is made after the lockout duration period ends. Invalid login attempts must be made within a span defined by the Lockout Reset Duration attribute. The default is 5.MBean: weblogic.management. security.RealmMBeanAttribute: LockoutThreshold
Lockout Duration	Number of minutes that a user's account remains inaccessible after being locked in response to several invalid login attempts within the amount of time specified by the Lockout Reset Duration attribute. The default is 30 minutes.MBean: weblogic.management. security.RealmMBeanAttribute: LockoutDuration	Units: minutes
Lockout Reset Duration	Number of minutes within which invalid login attempts must occur in order for the user's account to be locked.An account is locked if the number of invalid login attempts defined in the Lockout Threshold attribute happens within the amount of time defined by this attribute. For example, if the value in Lockout Reset Duration attribute is 5 minutes, the Lockout Threshold is 3, and 3 invalid login attempts are made within a 6 minute interval, then the account is not locked. If 3 invalid login attempts are made within a 5 minute period, however, then the account is locked.The default is 5 minutes.MBean: weblogic.management. security.RealmMBeanAttribute: LockoutResetDuration	Units: minutes
Lockout Cache Size	Specifies the intended cache size of unused and invalid login attempts. The default is 5.MBean: weblogic.management. security.RealmMBeanAttribute: LockoutCacheSize
Lockout GCThreshold	The maximum number of invalid login records that the server keeps in memory. If the number of invalid login records is equal to or greater than the value of this attribute, the server's garbage collection purges the records that have expired. A record expires when the user associated with the record have been locked out. The default is 400 recordsMBean: weblogic.management. security.RealmMBeanAttribute: LockoutGCThreshold
Invalid Login Attempts Total Count	The total number of invalid logins attempted since the server has been started and since lockouts have been enabled.MBean: weblogic.management. security.RealmMBeanAttribute: InvalidLoginAttemptsTotalCount
User Lockout Total Count	The total number of user lockouts that have occurred since the server has been started.MBean: weblogic.management. security.RealmMBeanAttribute: UserLockoutTotalCount
Login Attempts While Locked Total Count	The total number of invalid logins attempted since the server has been started and since lockouts have been enabled.MBean: weblogic.management. security.RealmMBeanAttribute: LoginAttemptsWhileLockedTotalCount
Invalid Login Users High Count	The highest number of users with concurrent unexpired or uncleared invalid login attempts.MBean: weblogic.management. security.RealmMBeanAttribute: InvalidLoginUsersHighCount
Locked Users Current Count	The number of users that are currently locked out of the server.MBean: weblogic.management. security.RealmMBeanAttribute: LockedUsersCurrentCount
Unlocked Users Total Count	The total number of times users have been unlocked since the server has been started.MBean: weblogic.management. security.RealmMBeanAttribute: UnlockedUsersTotalCount