[ https://issues.jboss.org/browse/GTNPORTAL-1805?page=com.atlassian.jira.pl... ] László van den Hoek commented on GTNPORTAL-1805: ------------------------------------------------ Does WCI cover the REST API ({{/portal/rest/sso/authcallback/auth/_username_/_password_}})? I've looked at http://anonsvn.jboss.org/repos/gatein/components/wci/trunk/wci/src/main/d... but it seems to me the answer is "no". So, in order to count calls to aforementioned REST URL where the return value is {{false}}, it seems to me {{UserDaoImpl.authenticate(username, password)}} would be the best place to register failed login attempts, much in the same way that {{User.setLastLoginTime(_now_)}} is called after succesful authentication. You could then expand {{org.exoplatform.services.organization.UserEventListener}} with the methods {{preAuthenticate(User user)}} and {{postAuthenticate(User user, boolean success}}, and trigger these at the start and end of {{authenticate}}. Then you could do any logic like sending mail or blocking the user in the listener, and developers would be able to easily extend this functionality. -- This message was sent by Atlassian JIRA (v6.2.3#6260)