tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johnny Kewl" <j...@kewlstuff.co.za>
Subject Re: anyone ever altered the Tomcat API to create a Login Attempt limit in the security constraint?
Date Wed, 25 Apr 2007 07:02:43 GMT

Yes that is true, as soon as you use the security XML stuff, tomcat starts 
doing its thing, but if you dont use it, tomcat ignores security, and you 
can write your own code in a servlet.
Thing is its then portable to any servlet container...
If you using BASIC its actually very easy to do... just search for 
programmatic security in servlets... you sure to find the code.


----- Original Message ----- 
From: "Propes, Barry L " <barry.l.propes@citi.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Tuesday, April 24, 2007 7:52 PM
Subject: RE: anyone ever altered the Tomcat API to create a Login Attempt 
limit in the security constraint?


I'd be glad to write it inside my own, but I figured using the security 
constraint, you were bound to their classes.



-----Original Message-----
From: Johnny Kewl [mailto:john@kewlstuff.co.za]
Sent: Tuesday, April 24, 2007 12:45 PM
To: Tomcat Users List
Subject: Re: anyone ever altered the Tomcat API to create a Login
Attempt limit in the security constraint?



I think you would be better off writing a little authentication code inside
your servlets...
However if you want to modify tomcat, you'll find that stuff in

package org.apache.catalina.authenticator;
public class BasicAuthenticator

all I wanted to to say is that some browsers like IE do their own thing.
Like for example... send this standard challenge to IE repeatedly

                    response.setStatus(response.SC_UNAUTHORIZED); // I.e.,
401
                    response.setHeader("WWW-Authenticate", "BASIC
realm=\"User Check\"");

and you'll see after a few tries.... it gives up anyway ;)
not much a Tomcat can do to change that....




----- Original Message ----- 
From: "Propes, Barry L " <barry.l.propes@citi.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Tuesday, April 24, 2007 7:11 PM
Subject: anyone ever altered the Tomcat API to create a Login Attempt limit
in the security constraint?


Any version? 4x. 5x?

I'm actually in the 4.1.3. series, but was wondering which class files I'd
need to revise and customize.

I assume most if not all are in the /catalina/src/share/org/apache/catalina/
repository, and figured something like Authenticator.java or Session.java
might need a method added to it, but wasn't sure what else would need to be
done.

In other words, whereas in its initial state the security constraint will
repeatedly forward/redirect to the Login error page set, I'd like to be able
to create a customized method to send to another (secondary) error page,
telling the user they've been locked out after 6 consecutive, unsuccessful
attempts.

Is this at all possible to do in 4.1 or any other version?

Any feedback is welcomed.

Thanks!

Barry


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message