• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Tim Cooke
  • Devaka Cooray
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
Bartenders:
  • Carey Brown
  • Roland Mueller

How to use Tomcat LockOutRealm unlock method within code

 
Greenhorn
Posts: 10
Eclipse IDE Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,
I use LockOutRealm combined with a JDBCRealm to authenticate users. If a user enters 3 consecutive invalid passwords they are automatically locked out for 5 minutes. If the user's password is reset during this wait period they still can't log on because they are locked. A message in the console is shown WARNING: An attempt was made to authenticate the locked user "so-and-so". There is an unlock method for LockOutRealm and I would like to give the administrator the ability to click a button to unlock the users. My question is how do I get the LockOutRealm object in my code to do the unlock? Is there a way to get at this using mbeans?
Thank you,
Peter
 
Saloon Keeper
Posts: 28120
198
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The whole point of Realms is that they are completely plug-replaceable and externally applied, so there's no provision for a webapp to invoke any of the methods in a Realm.

It's also, incidentally not a good idea for your webapp to be able to manage its realm. For one thing, that introduces the possibility that an exploit could work its way upstream into the server. For another, in the case of a lockout realm, if the only unlocking mechanism is within the app and you're locked out of the app...

There's not a whole lot of documentation on games you can play with LockoutRealm, but the unlock method is a public member method, so some possibilities include:

1. Getting the Realm's mbean and invoking unlock on the mbean. You may be able to obtain that programmatically via Tomcat's management EJB, but that's just a guess. If not, the stock MBean locator can definitely be used, as this Realm registers itself with Tomcat's internal MBean manager.

2. Writing a management webapp similar to the pre-supplied admin and manager apps that come with Tomcat that roots around inside Tomcat to obtain the Realm bean so you can invoke unlock(). This is different than doing the same thing in your primary webapp because (hopefully!) access to this management app will be more tightly controlled and since it's running under a different classpath environment, possible leakage from unauthorized parts of the app are reduced (since there may not be any unauthorized parts of the management app).

3. Subclass the Lockout Realm and institute your own control interface in the subclass realm.
 
I'm not sure if I approve of this interruption. But this tiny ad checks out:
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic