I wrote a custom Realm for Tomcat 7. I wrap it in the lockout Realm provided by the default installation of Tomcat. The lockout feature works fine, but in my web.xml, I have
It does not look easy. My first idea was subclassing the LockOutRealm
and adding something to the request context if the user is locked out which you can print to the user interface later. Unfortunately it will not work because the authenticate methods of the LockOutRealm just got the login and password and there is no request or context objects there.
Another problem is that the authenticate
methods returns null
when the authentication failed and LockOutRealm
also does that.
There is no difference between the behavior of the LockOutRealm
and the behavior of any other realm when the authentication failed.
A workaround: If you are using Servlet 3.0 use the login method of the HttpServletRequest interface, implement the lockout logic yourself and check the count of failed login attempts before your servlets call the HttpServletRequest.login()
. If it's higher than the limit don't call the login()
and print a custom error message.