I have been scouring the web and haven't found a satisfactory solution to this problem. I am using form-based security with a JDBC Realm in Tomcat, and I want to detect failed login attempts so that I can lock accounts after X failed logins.
The usual suggestion is to create a custom Realm to do this...but I am having trouble finding the JDBCRealm class...what jar file is this located in?
I find it very irritating that there is not a simple way to find out who tried to log in, as I feel like this is a behavior that a lot of applications would want.
Any help or suggestions would be much appreciated!
You could certainly extend JDBCRealm, and have it keep track of login attempts. It's in the server/lib/catalina-optional.jar file, but you don't need to replace it - just give your implementation a different name, and change the realm definition in server.xml accordingly.
Joined: May 31, 2006
Thank you for the welcome...ok, I guess that is what I will do. I'm just going to implement the 2 authenticate() methods, and if super.authenticate() returns null, I'll increment my failed attempt counter in the DB. It's too bad there isn't a good standard way that these security 'Realms' have to be implemented in the servlet container....I guess if you want to avoid being married to your container you just have to do a custom security implementation all the way.
Joined: Mar 22, 2005
Yes, it is kind of a pain that the web app/realm integration is not standardized. On the other hand, Sun probably wants you to use a full J2EE container, not just a servlet container, and then you'd have JAAS, JNDI etc. along with a nice GUI interface of the server.