• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Realms and Logging Failed Attempts

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey all,

I have been scouring the web and haven't found a satisfactory solution to this problem. I am using form-based security with a JDBC Realm in Tomcat, and I want to detect failed login attempts so that I can lock accounts after X failed logins.

The usual suggestion is to create a custom Realm to do this...but I am having trouble finding the JDBCRealm class...what jar file is this located in?

My application uses Struts, and a failed login attempt redirects to an Action class where I want to do the failed attempt logging. I was considering using some javascript to set a second variable in the request with the same value as the j_username when the user clicks submit. Would this work? Could I then access this variable in the Action class?

I find it very irritating that there is not a simple way to find out who tried to log in, as I feel like this is a behavior that a lot of applications would want.

Any help or suggestions would be much appreciated!

- Chris
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to JavaRanch.

You could certainly extend JDBCRealm, and have it keep track of login attempts. It's in the server/lib/catalina-optional.jar file, but you don't need to replace it - just give your implementation a different name, and change the realm definition in server.xml accordingly.
 
Chris Fatso
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you for the welcome...ok, I guess that is what I will do. I'm just going to implement the 2 authenticate() methods, and if super.authenticate() returns null, I'll increment my failed attempt counter in the DB. It's too bad there isn't a good standard way that these security 'Realms' have to be implemented in the servlet container....I guess if you want to avoid being married to your container you just have to do a custom security implementation all the way.

- Chris
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, it is kind of a pain that the web app/realm integration is not standardized. On the other hand, Sun probably wants you to use a full J2EE container, not just a servlet container, and then you'd have JAAS, JNDI etc. along with a nice GUI interface of the server.
reply
    Bookmark Topic Watch Topic
  • New Topic