• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Realms and Logging Failed Attempts

 
Chris Fatso
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey all,

I have been scouring the web and haven't found a satisfactory solution to this problem. I am using form-based security with a JDBC Realm in Tomcat, and I want to detect failed login attempts so that I can lock accounts after X failed logins.

The usual suggestion is to create a custom Realm to do this...but I am having trouble finding the JDBCRealm class...what jar file is this located in?

My application uses Struts, and a failed login attempt redirects to an Action class where I want to do the failed attempt logging. I was considering using some javascript to set a second variable in the request with the same value as the j_username when the user clicks submit. Would this work? Could I then access this variable in the Action class?

I find it very irritating that there is not a simple way to find out who tried to log in, as I feel like this is a behavior that a lot of applications would want.

Any help or suggestions would be much appreciated!

- Chris
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to JavaRanch.

You could certainly extend JDBCRealm, and have it keep track of login attempts. It's in the server/lib/catalina-optional.jar file, but you don't need to replace it - just give your implementation a different name, and change the realm definition in server.xml accordingly.
 
Chris Fatso
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you for the welcome...ok, I guess that is what I will do. I'm just going to implement the 2 authenticate() methods, and if super.authenticate() returns null, I'll increment my failed attempt counter in the DB. It's too bad there isn't a good standard way that these security 'Realms' have to be implemented in the servlet container....I guess if you want to avoid being married to your container you just have to do a custom security implementation all the way.

- Chris
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, it is kind of a pain that the web app/realm integration is not standardized. On the other hand, Sun probably wants you to use a full J2EE container, not just a servlet container, and then you'd have JAAS, JNDI etc. along with a nice GUI interface of the server.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic