aspose file tools*
The moose likes Tomcat and the fly likes Realms and Logging Failed Attempts Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Realms and Logging Failed Attempts" Watch "Realms and Logging Failed Attempts" New topic
Author

Realms and Logging Failed Attempts

Chris Fatso
Greenhorn

Joined: May 31, 2006
Posts: 2
Hey all,

I have been scouring the web and haven't found a satisfactory solution to this problem. I am using form-based security with a JDBC Realm in Tomcat, and I want to detect failed login attempts so that I can lock accounts after X failed logins.

The usual suggestion is to create a custom Realm to do this...but I am having trouble finding the JDBCRealm class...what jar file is this located in?

My application uses Struts, and a failed login attempt redirects to an Action class where I want to do the failed attempt logging. I was considering using some javascript to set a second variable in the request with the same value as the j_username when the user clicks submit. Would this work? Could I then access this variable in the Action class?

I find it very irritating that there is not a simple way to find out who tried to log in, as I feel like this is a behavior that a lot of applications would want.

Any help or suggestions would be much appreciated!

- Chris
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42289
    
  64
Welcome to JavaRanch.

You could certainly extend JDBCRealm, and have it keep track of login attempts. It's in the server/lib/catalina-optional.jar file, but you don't need to replace it - just give your implementation a different name, and change the realm definition in server.xml accordingly.


Ping & DNS - my free Android networking tools app
Chris Fatso
Greenhorn

Joined: May 31, 2006
Posts: 2
Thank you for the welcome...ok, I guess that is what I will do. I'm just going to implement the 2 authenticate() methods, and if super.authenticate() returns null, I'll increment my failed attempt counter in the DB. It's too bad there isn't a good standard way that these security 'Realms' have to be implemented in the servlet container....I guess if you want to avoid being married to your container you just have to do a custom security implementation all the way.

- Chris
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42289
    
  64
Yes, it is kind of a pain that the web app/realm integration is not standardized. On the other hand, Sun probably wants you to use a full J2EE container, not just a servlet container, and then you'd have JAAS, JNDI etc. along with a nice GUI interface of the server.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Realms and Logging Failed Attempts