Detect a realm authentication failure reason in Tomcat

Question

I wrote a custom Realm for Tomcat 7. I wrap it in the lockout Realm provided by the default installation of Tomcat. The lockout feature works fine, but in my web.xml, I have

Answer 1

It does not look easy. My first idea was subclassing the LockOutRealm and adding something to the request context if the user is locked out which you can print to the user interface later. Unfortunately it will not work because the authenticate methods of the LockOutRealm just got the login and password and there is no request or context objects there.

Another problem is that the authenticate methods returns null when the authentication failed and LockOutRealm also does that. There is no difference between the behavior of the LockOutRealm and the behavior of any other realm when the authentication failed.

A workaround: If you are using Servlet 3.0 use the login method of the HttpServletRequest interface, implement the lockout logic yourself and check the count of failed login attempts before your servlets call the HttpServletRequest.login() . If it's higher than the limit don't call the login() and print a custom error message.