Credit: Kevin Jacobs
(to be entered)
Login lock outs (LoginServelet.java, lines 82+):
Lock out after 100 attempts. Timer is reset after 5 minutes.
Recommend lockout after 5, (email to admin?).. require admin intervention to unlock.
Note: Default is defined in WebConstants.java can override the static 100 default:
public static String GP_ALLOWED_LOGIN_ATTEMPTS_PER_IP = "security.loginAttemptsAllowedPerIP";
But the code expects an int, parsing fails, and sets to 100 attempts by default.