tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Logging all traffics to Tomcat servers
Date Sat, 19 Dec 2009 02:27:10 GMT

"Christopher Schultz" <> wrote in message
> Hash: SHA1
> Fidelis,
> On 12/17/2009 3:42 PM, Fidelis Mnyanyi wrote:
>> Thanks Konstantin for your response. I tried to use AccessLogValve,
>> but noticed I can only capture successful logins. I would like to be
>> able to capture all unsuccessful attempts as well for security-audit
>> reasons, is this possible through Tomcat?
> Really? Tomcat doesn't log requests to j_security_check through
> AccessLogValve?

Unless you are configuring the FormAuthenticator your self, it should log 
j_security_check (since the default behavior is to add FormAuthenticator 
after any Valve in context.xml).

> Note that AccessLogValve will not directly log "failed logins": it only
> logs HTTP requests and their statuses, etc. You will have to deduce from
> the status code what happened during the request.

In particular, a 302 status code means success, and a 200 status code means 
failure (or, rather, what ever status code the error page returns).

> If you want to actually log failed logins, you'll need to use something
> other than the standard realms Tomcat provides (except maybe
> JAASRealm... I've never used that one but it appears that it is much
> more flexible than the other realm implementations).
> - -chris
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla -
> iEYEARECAAYFAksqp8QACgkQ9CaO5/Lv0PATzACghn0Apk8uew1/et9QUK6t2HTW
> InoAnAzcwEbLLnxwIfDUgLJUfwPdivrJ
> =btRk
> -----END PGP SIGNATURE----- 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message