tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Password retries
Date Fri, 28 Jul 2006 16:37:59 GMT
Simon,

> Has anyone done anything with tomcat authorisation to configure in a
> maximum number of retries before an address/account is blocked.

I'm pretty sure that Tomcat's authentication system does not support
this feature. You could probably write your own authenticator to track
that kind of thing.

I am going to be adding the same type of feature to an authenticator I
wrote to be used with securityfilter
(http://securityfilter.sourceforge.net/). My plan is to use something
like a synchronized time-sensitive cache of login failures (probably
something from the commons-collections package such as LRUMap) to store
login failures (keyed on username). I'll probably do the same thing with
remote IP address as well (3 failures from the same IP will block future
logins). The only trick is expiring entries ;)

Let me know if you have any better ideas. I'd love to hear about them.

-chris



Mime
View raw message