Detect a realm authentication failure reason in Tomcat

Question

I wrote a custom Realm for Tomcat 7. I wrap it in the lockout Realm provided by the default installation of Tomcat. The lockout feature works fine, but in my web.xml, I have

Answer 1

Have same question. There might be something in the request scope. Have experience with another lockout realm that I used with Tomcat 5.5 and it would put into the request scope "com.ofc.tomcat.LOGIN_FAILURE_MESSAGE" and if that was not present then the user must have been locked out.

Answer 2

It does not look easy. My first idea was subclassing the LockOutRealm and adding something to the request context if the user is locked out which you can print to the user interface later. Unfortunately it will not work because the authenticate methods of the LockOutRealm just got the login and password and there is no request or context objects there.

Another problem is that the authenticate methods returns null when the authentication failed and LockOutRealm also does that. There is no difference between the behavior of the LockOutRealm and the behavior of any other realm when the authentication failed.

A workaround: If you are using Servlet 3.0 use the login method of the HttpServletRequest interface, implement the lockout logic yourself and check the count of failed login attempts before your servlets call the HttpServletRequest.login() . If it's higher than the limit don't call the login() and print a custom error message.

Answer 3

This thread is very old and my answer most certainly is very delayed. However, I shall enumerate one way of doing the above. Custom messages after authentication providing the reason for failure is slightly complicated in Tomcat, however, it can be achieved. To achieve this, one of the methods is to construct a custom Tomcat Valve and add it at an appropriate level (Host, Engine or Context). Tomcat automatically inserts the FormAuthentication Valve to the processing pipeline, if any web application uses FORM authentication. The idea is to intercept the 'j_security_check' action from the browser and do some pre-validations before it lands with the FormAuthentication Valve. In the 'invoke' method, both the user name ('j_username') and password ('j_password') are available as clear text from the request object. With these it can be checked whether an account is locked out or user needs to change password etc. by directly going into the realm (Database or LDAP etc.). From this valve, a response.redirect() can be sent to appropriate error pages.