tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Tomcat Custom Authenticator
Date Fri, 14 Aug 2009 23:07:41 GMT
Daniel Stephens wrote:
> Need some help or advice..
> 
> For Security reasons,
>   We need to do logging for IP,username, etc(AUDIT).
>   We need to log success and failed attempts.
>   We don't want to modify the internal classes(unless it's impossible).
> 
>   We are using the FORM auth-method, we POST to j_security_check. We have
> our own custom realm that extends RealmBase. All that works fine. Until we
> try and report back to the browser why the authentication failed, to many
> attempts, account expired etc..

The Tomcat API deliberately won't let you do that. It is bad security to
explain why the authentication failed as it nearly always makes brute
force attacks easier.

> So my question is. Since the authentication occurs in the
> Realm/FormAuthenticator, Has anyone been able to successfully extend this
> class ( FormAuthenticator ), and implement this kind of concept? I have
> found some examples online, but I have not been able to make them work.

You would have to so some fairly serious surgery to the Tomcat internals
 to get this to work.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message