tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: Security on JDBC Realm new features
Date Mon, 01 May 2006 19:44:57 GMT
sounds like a useful feature, are you considering

1. That the feature must be 100% backwards compatible, ie work if they 
dont specify the column or the column doesn't exist
2. That some database admins might only give you a read only connection, 
so the column exists but is not writable
3. How to alert a sysadmin if a user has been locked out

Filip


Benjamin Cuthbert wrote:
> All
>
> I am trying to improve the security for authenticating users on my 
> JDBC realm. What we require is the ability to lock out accounts on the 
> database
> when a user enters more than 3 incorrect passwords. Now i have made 
> some changes to the JDBCRealm.java and i would like some comments
> on the features that i have added. Could someone from the tomcat team 
> have a look at the attached code and configuration file and let me
> know if this is the correct way to go about doing this.
>
> Changes -
>
> authenticate : Adding in a counter to check how many times a user gets 
> the incorrect password from the database.
> LockAccount : new method to handle the update to the database so that 
> accounts can be locked.
>
> Testing -
>
> I have tested this on OSX as that is the system i use, but i am going 
> to do some further testing on linux as that is what the server
> application is installed on.
>
> server.xml config would be
>
>
>       <Realm  className="org.apache.catalina.realm.JDBCRealm"
>              driverName="org.gjt.mm.mysql.Driver"
>           connectionURL="jdbc:mysql://localhost/tomcat"
>          connectionName="tomcat" connectionPassword="tomcat"
>               userTable="users" userNameCol="user_name" 
> userCredCol="user_pass"
>           userRoleTable="user_roles" roleNameCol="role_name"
>           accstatusCol="accountstatus" acclockouttry="3"/>
>
>
> ------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message