Disable Mendix Login

Content Type: Module
Categories: Authentication

Overview

This module brings more safety to your app by blocking any login attempt on the Mendix server (so called ‘local logins’). This light-weight solution effectively protects against brute-force password attacks. This module is a valuable addition in combination with another login method, like single-sign on (SSO) via SAML or OIDC. This module doesn't influence the front-end (login widgets or pages), it effectively blocks any attempt at the back-end (Java).

Advantages:
* No other security measures, like rotating passwords or deleting the MxAdmin user are required.
* No monitoring or alerting is required to detect malicious login attempts.
* Minimized load when facing a brute-force password attack, as no database connections are used to validate passwords.

Documentation

Goal

This module brings more safety to your app by blocking any login attempt on the Mendix server (so called ‘local logins’). This light-weight solution effectively protects against brute-force password attacks. This module is a valuable addition in combination with another login method, like single-sign on (SSO) via SAML or OIDC. This module doesn't influence the front-end (login widgets or pages), it effectively blocks any attempt at the back-end (Java).

Advantages:
* No other security measures, like rotating passwords or deleting the MxAdmin user are required.
* No monitoring or alerting is required to detect malicious login attempts.
* Minimized load when facing a brute-force password attack, as no database connections are used to validate passwords.

How to use

Required model changes

1. Add the ASu_DisableMendixLogin to your after startup microflow. For multi-instance configurations: this is required for both leader and worker instances.

2. (May be required): If published APIs, like REST and OData services, are exposed and make use of basic authentication, these requests will also be blocked. This may be resolved setting the constant ExceptedUsername in case only one service account is being used. If this is insufficient, you can configure the published API's to use Custom authentication and point it to the PRS_Authenticate_BasicAuthenticationUser microflow. It decreases the effectiveness of this module, so it's preferable to implement different authentication method for your published APIs.

Configuring constants (no changes required)

3. The constant MendixLoginDisabled is true by default on your environments. This will disable the possibility to login using the default Mendix way and assume another login method is implemented, like SSO. Setting this constant to false will completely disable the functionality of this module, so is adviced to do only temporarily.

4. If you need a single exception, for example an administrator or test user, one excepted username can be set in the MendixLoginExceptedUsername constant. This enables front-end configuration for SSO for example. It decreases the effectiveness of this module, so it's preferable to keep it empty.

Dependency

  • CommunityCommons

Releases

Version: 1.3.0
Framework Version: 9.24.4
Release Notes: Version 1.3 18 September 2023 * Fixed that blocked users get unblocked after 5 minutes by setting the new BlockedSince attribute
Version: 1.2.0
Framework Version: 8.18.22
Release Notes: * Fixed issue that only excepted user could login when Boolean constant was configured to false * Changed log level to critical in ASu when exception occurs during startup * Improved documentation
Version: 1.1.0
Framework Version: 8.18.22
Release Notes: 23 January 2023 Updated Market Place version by Johan Flikweert, Valcon: * Added PRS_Authenticate_BasicAuthenticationUser to provide basic authentication for Published REST API's
Version: 1.0.0
Framework Version: 8.18.22
Release Notes: 1.0.0 Initial release