sounds like a useful feature, are you considering
1. That the feature must be 100% backwards compatible, ie work if they
dont specify the column or the column doesn't exist
2. That some database admins might only give you a read only connection,
so the column exists but is not writable
3. How to alert a sysadmin if a user has been locked out
Filip
Benjamin Cuthbert wrote:
All
I am trying to improve the security for authenticating users on my
JDBC realm. What we require is the ability to lock out accounts on the
database
when a user enters more than 3 incorrect passwords. Now i have made
some changes to the JDBCRealm.java and i would like some comments
on the features that i have added. Could someone from the tomcat team
have a look at the attached code and configuration file and let me
know if this is the correct way to go about doing this.
Changes -
authenticate : Adding in a counter to check how many times a user gets
the incorrect password from the database.
LockAccount : new method to handle the update to the database so that
accounts can be locked.
Testing -
I have tested this on OSX as that is the system i use, but i am going
to do some further testing on linux as that is what the server
application is installed on.
server.xml config would be
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://localhost/tomcat"
connectionName="tomcat" connectionPassword="tomcat"
userTable="users" userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name"
accstatusCol="accountstatus" acclockouttry="3"/>
------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
