Detect a realm authentication failure reason in Tomcat

后端 未结 3 810
旧巷少年郎
旧巷少年郎 2021-01-06 18:47

I wrote a custom Realm for Tomcat 7. I wrap it in the lockout Realm provided by the default installation of Tomcat. The lockout feature works fine, but in my web.xml, I have

3条回答
  •  醉梦人生
    2021-01-06 19:22

    It does not look easy. My first idea was subclassing the LockOutRealm and adding something to the request context if the user is locked out which you can print to the user interface later. Unfortunately it will not work because the authenticate methods of the LockOutRealm just got the login and password and there is no request or context objects there.

    Another problem is that the authenticate methods returns null when the authentication failed and LockOutRealm also does that. There is no difference between the behavior of the LockOutRealm and the behavior of any other realm when the authentication failed.

    A workaround: If you are using Servlet 3.0 use the login method of the HttpServletRequest interface, implement the lockout logic yourself and check the count of failed login attempts before your servlets call the HttpServletRequest.login() . If it's higher than the limit don't call the login() and print a custom error message.

提交回复
热议问题