tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: Security on JDBC Realm new features
Date Tue, 02 May 2006 20:09:35 GMT
with all that said, I think the best option for you is to
- create an extension of the current realm instead of patching the 
existing one
- submit the code
- and if everyone thinks its useful, the code looks good, we can add it 
to Tomcat and let the user decide if they wanna use it

but I don't think modifying the existing realm is gonna fly, many people 
are using it, and if it isn't 100% compatible with what it is today, 
then no patch will be accepted.

Filip



Benjamin Cuthbert wrote:
> Those are very valid questions.
>
> 1. Yes so i guess there could be a default value in the code so that 
> it could always be set to 3 unless
>     set by the admin.
> 2.  I am not sure how to handle this, as if you only had read access 
> to the database then there would be no
>    way to set this up, unless you created some sort of hashmap in the 
> code to store which users
>    were locked and which were not.
> 3. I was just thinking of using the standard log file output. did you 
> have something else in mind ?
>
> Regards
>
>
> On 1 May 2006, at 20:44, Filip Hanik - Dev Lists wrote:
>
>> sounds like a useful feature, are you considering
>>
>> 1. That the feature must be 100% backwards compatible, ie work if 
>> they dont specify the column or the column doesn't exist
>> 2. That some database admins might only give you a read only 
>> connection, so the column exists but is not writable
>> 3. How to alert a sysadmin if a user has been locked out
>>
>> Filip
>>
>>
>> Benjamin Cuthbert wrote:
>>> All
>>>
>>> I am trying to improve the security for authenticating users on my 
>>> JDBC realm. What we require is the ability to lock out accounts on 
>>> the database
>>> when a user enters more than 3 incorrect passwords. Now i have made 
>>> some changes to the JDBCRealm.java and i would like some comments
>>> on the features that i have added. Could someone from the tomcat 
>>> team have a look at the attached code and configuration file and let me
>>> know if this is the correct way to go about doing this.
>>>
>>> Changes -
>>>
>>> authenticate : Adding in a counter to check how many times a user 
>>> gets the incorrect password from the database.
>>> LockAccount : new method to handle the update to the database so 
>>> that accounts can be locked.
>>>
>>> Testing -
>>>
>>> I have tested this on OSX as that is the system i use, but i am 
>>> going to do some further testing on linux as that is what the server
>>> application is installed on.
>>>
>>> server.xml config would be
>>>
>>>
>>>       <Realm  className="org.apache.catalina.realm.JDBCRealm"
>>>              driverName="org.gjt.mm.mysql.Driver"
>>>           connectionURL="jdbc:mysql://localhost/tomcat"
>>>          connectionName="tomcat" connectionPassword="tomcat"
>>>               userTable="users" userNameCol="user_name" 
>>> userCredCol="user_pass"
>>>           userRoleTable="user_roles" roleNameCol="role_name"
>>>           accstatusCol="accountstatus" acclockouttry="3"/>
>>>
>>>
>>> ------------------------------------------------------------------------ 
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message