tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <>
Subject Re: Security on JDBC Realm new features
Date Mon, 01 May 2006 19:44:57 GMT
sounds like a useful feature, are you considering

1. That the feature must be 100% backwards compatible, ie work if they 
dont specify the column or the column doesn't exist
2. That some database admins might only give you a read only connection, 
so the column exists but is not writable
3. How to alert a sysadmin if a user has been locked out


Benjamin Cuthbert wrote:
> All
> I am trying to improve the security for authenticating users on my 
> JDBC realm. What we require is the ability to lock out accounts on the 
> database
> when a user enters more than 3 incorrect passwords. Now i have made 
> some changes to the and i would like some comments
> on the features that i have added. Could someone from the tomcat team 
> have a look at the attached code and configuration file and let me
> know if this is the correct way to go about doing this.
> Changes -
> authenticate : Adding in a counter to check how many times a user gets 
> the incorrect password from the database.
> LockAccount : new method to handle the update to the database so that 
> accounts can be locked.
> Testing -
> I have tested this on OSX as that is the system i use, but i am going 
> to do some further testing on linux as that is what the server
> application is installed on.
> server.xml config would be
>       <Realm  className="org.apache.catalina.realm.JDBCRealm"
>              driverName=""
>           connectionURL="jdbc:mysql://localhost/tomcat"
>          connectionName="tomcat" connectionPassword="tomcat"
>               userTable="users" userNameCol="user_name" 
> userCredCol="user_pass"
>           userRoleTable="user_roles" roleNameCol="role_name"
>           accstatusCol="accountstatus" acclockouttry="3"/>
> ------------------------------------------------------------------------
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message