Detect a realm authentication failure reason in Tomcat

Question

I wrote a custom Realm for Tomcat 7. I wrap it in the lockout Realm provided by the default installation of Tomcat. The lockout feature works fine, but in my web.xml, I have

Answer 1

This thread is very old and my answer most certainly is very delayed. However, I shall enumerate one way of doing the above. Custom messages after authentication providing the reason for failure is slightly complicated in Tomcat, however, it can be achieved. To achieve this, one of the methods is to construct a custom Tomcat Valve and add it at an appropriate level (Host, Engine or Context). Tomcat automatically inserts the FormAuthentication Valve to the processing pipeline, if any web application uses FORM authentication. The idea is to intercept the 'j_security_check' action from the browser and do some pre-validations before it lands with the FormAuthentication Valve. In the 'invoke' method, both the user name ('j_username') and password ('j_password') are available as clear text from the request object. With these it can be checked whether an account is locked out or user needs to change password etc. by directly going into the realm (Database or LDAP etc.). From this valve, a response.redirect() can be sent to appropriate error pages.