Apache Shiro documentation implies some desired capabilities for trapping successive failed login attempts (among others) however, I cannot find concrete documentation for this. Presently I can execute currentUser.login(token); with invalid pw infinite times and does not trap and throw this error. I am struggling to find where this is implemented in source.

Is this actually working? Is the threshold configured in shiro.ini? Can anyone point me to the documentation for this (or confirm that it doesn’t exist)?

Thanks

Environment Details: Shiro core 1.2.1 and jdbc realm

Begin Documentation
Step 3: Handling Success or Failure
If the login method returns quietly, that’s it – we’re done! The Subject has been authenticated. The application thread can continue uninterrupted and all further calls to SecurityUtils.getSubject() will return the authenticated Subject instance, and any calls to subject.isAuthenticated() will return true.

But what happens if the login attempt failed? For example, what if the end-user supplied an incorrect password, or accessed the system too many times and maybe their account is locked?

Shiro has a rich runtime AuthenticationException hierarchy that can indicate exactly why the attempt failed. You can wrap login in a try/catch block and catch any exception you wish and react to them accordingly. For example:

try {
    currentUser.login(token);
} catch ( UnknownAccountException uae ) { ...
} catch ( IncorrectCredentialsException ice ) { ...
} catch ( LockedAccountException lae ) { ...
} catch ( **ExcessiveAttemptsException** eae ) { ...
} ... catch your own ...
} catch ( AuthenticationException ae ) {
    //unexpected error?
}

//No problems, continue on as expected...

If one of the existing exception classes do not meet your needs, custom AuthenticationExceptions can be created to represent specific failure scenarios
//No problems, continue on as expected…
End Documentaion