tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benjamin Cuthbert <ben_cuthb...@yahoo.co.uk>
Subject Re: Security on JDBC Realm new features
Date Tue, 02 May 2006 17:16:14 GMT
Those are very valid questions.

1. Yes so i guess there could be a default value in the code so that  
it could always be set to 3 unless
     set by the admin.
2.  I am not sure how to handle this, as if you only had read access  
to the database then there would be no
    way to set this up, unless you created some sort of hashmap in  
the code to store which users
    were locked and which were not.
3. I was just thinking of using the standard log file output. did you  
have something else in mind ?

Regards


On 1 May 2006, at 20:44, Filip Hanik - Dev Lists wrote:

> sounds like a useful feature, are you considering
>
> 1. That the feature must be 100% backwards compatible, ie work if  
> they dont specify the column or the column doesn't exist
> 2. That some database admins might only give you a read only  
> connection, so the column exists but is not writable
> 3. How to alert a sysadmin if a user has been locked out
>
> Filip
>
>
> Benjamin Cuthbert wrote:
>> All
>>
>> I am trying to improve the security for authenticating users on my  
>> JDBC realm. What we require is the ability to lock out accounts on  
>> the database
>> when a user enters more than 3 incorrect passwords. Now i have  
>> made some changes to the JDBCRealm.java and i would like some  
>> comments
>> on the features that i have added. Could someone from the tomcat  
>> team have a look at the attached code and configuration file and  
>> let me
>> know if this is the correct way to go about doing this.
>>
>> Changes -
>>
>> authenticate : Adding in a counter to check how many times a user  
>> gets the incorrect password from the database.
>> LockAccount : new method to handle the update to the database so  
>> that accounts can be locked.
>>
>> Testing -
>>
>> I have tested this on OSX as that is the system i use, but i am  
>> going to do some further testing on linux as that is what the server
>> application is installed on.
>>
>> server.xml config would be
>>
>>
>>       <Realm  className="org.apache.catalina.realm.JDBCRealm"
>>              driverName="org.gjt.mm.mysql.Driver"
>>           connectionURL="jdbc:mysql://localhost/tomcat"
>>          connectionName="tomcat" connectionPassword="tomcat"
>>               userTable="users" userNameCol="user_name"  
>> userCredCol="user_pass"
>>           userRoleTable="user_roles" roleNameCol="role_name"
>>           accstatusCol="accountstatus" acclockouttry="3"/>
>>
>>
>> --------------------------------------------------------------------- 
>> ---
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message