I'm working on a J2EE (Servlets & JSP MVC) application for use in the gov't sector. Apps in the gov't sector require account controls to be met IAW the following:
- Account Lockout after 3 failed login attempts
- Notification of failed login on next successful login
- Application account password changed every 60 days. If not, account is locked
I have a users table in the database that stores the username, password and role. I'm sure I have to add additional columns to capture failed login attempts etc but I wanted to know if someone has a good working solution or a good approach to suffice this requirement?