tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joseph Toussaint <>
Subject restrict the number of login tries.
Date Fri, 17 Aug 2001 03:24:07 GMT
Hi i'd like to write a module that would restrict the number of times 
someone can login tomcat before their account is locked.  I realize that I 
could modify the realm that I am using - but I'd like to find a more robust 
solution that could be applied to all security realms without requiring 
users to re-compile.

Here is what I understand of the security role process

A controller class gets a list of all the Request Interceptors
If one of those interceptors is a security realm it calls the authenticate 
if it returns true, it breaks out of the loop - otherwise it moves on to 
the next interceptor.

Here is my thought on how to do this (although I see a problem with it)

have 1 interceptor at the top of the request interceptor list (singleton 

have as many security realms as you want

have 1 interceptor at the end of the list (singleton pattern)

by the time I get to the last interceptor I know that all previous realms 
have failed - so I know this user has failed, I bump the counter.

the first interceptor asks the last interceptor if this user still has 
tries left - if they do return false, so the security realms will try to 
authenticate the user.

the problem comes when the user is out of 'tries'  the first interceptor 
returns false, but the controller still asks the other interceptors to 
authenticate the user.

I have 2 ideas on how to solve this problem.
	1. maybe if I set the username to null - it will flag something in the 
controller class and, so it won't ask the other realms to authenticate this 
	2. throw an exception.

I'm not a big fan of runtime exceptions, so I'd prefer something along the 
lines of #1

I appreciate any suggestions, or even a new design!



View raw message