RE: Form-Based Auth and tracking Login Attempts

[Randy Layman]

One suggestion might be to modify JDBCRealm so that on unsuccessful
login it updates a database field (like NUM_BAD_LOGINS) to one more than it
is.  Then when the magic number is triggered, you don't allow them to login
even with the correct password.  When the administrator resets the password,
the count is also reset.  Its also reset on a valid login.  Seems pretty
straight forward.  If you do this, I would suggest making the number of
attempts the user gets a parameter from the server.xml file, then publish
the code here - it might get incorporated into the code base.

On a side note, these systems always seem to me to not work really
well.  If you want to create a hassle for another user on the system, you
just find out their username (usually public information or easily guessed).
Also, it seems to me that honest mistakes (typos) can occur equally in
either field (username or password).  With a large enough user base, one
user's typo might be another user's login name and increase their count.

Randy

-Original Message-
From: Rajesh A [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 07, 2001 8:31 AM
To: [EMAIL PROTECTED]
Subject: Form-Based Auth and tracking Login Attempts


I am using tomcat 3.2.1 + form-based authentication + jdbcRealm with oracle 
database. Everything has been configured and works perfect.

Now I have a requirement to lock a user account upon 3 consecutive login 
attempt failures. The user then needs to contact the application 
administrators to get their account unlocked.

I have tried searching this mailing list's archives with no luck. In 
form-based auth my login.jsp page has a html form that is submitted to 
j_security_check handled by the container. So I have no control it and so 
not able to count the number of login failures. Any help appreciated!

Rajesh
_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

RE: Form-Based Auth and tracking Login Attempts

[Alistair Hopkins]

Why not implement a unix-style login which gets slower after every duff
attempt?



-Original Message-
From: Randy Layman [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 07, 2001 1:10 PM
To: [EMAIL PROTECTED]
Subject: RE: Form-Based Auth and tracking Login Attempts



One suggestion might be to modify JDBCRealm so that on unsuccessful
login it updates a database field (like NUM_BAD_LOGINS) to one more than it
is.  Then when the magic number is triggered, you don't allow them to login
even with the correct password.  When the administrator resets the password,
the count is also reset.  Its also reset on a valid login.  Seems pretty
straight forward.  If you do this, I would suggest making the number of
attempts the user gets a parameter from the server.xml file, then publish
the code here - it might get incorporated into the code base.

On a side note, these systems always seem to me to not work really
well.  If you want to create a hassle for another user on the system, you
just find out their username (usually public information or easily guessed).
Also, it seems to me that honest mistakes (typos) can occur equally in
either field (username or password).  With a large enough user base, one
user's typo might be another user's login name and increase their count.

Randy

-Original Message-
From: Rajesh A [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 07, 2001 8:31 AM
To: [EMAIL PROTECTED]
Subject: Form-Based Auth and tracking Login Attempts


I am using tomcat 3.2.1 + form-based authentication + jdbcRealm with oracle
database. Everything has been configured and works perfect.

Now I have a requirement to lock a user account upon 3 consecutive login
attempt failures. The user then needs to contact the application
administrators to get their account unlocked.

I have tried searching this mailing list's archives with no luck. In
form-based auth my login.jsp page has a html form that is submitted to
j_security_check handled by the container. So I have no control it and so
not able to count the number of login failures. Any help appreciated!

Rajesh
_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]