Re: Tracking Authentication rejects in Tomcat 5.5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott and Kevin, Scott Smith wrote: I'm using Tomcat 5.5 and using dataSourceRealm to do authentication. I need to track bad logins. In particular, I want to track any logins where the password is wrong. I also want to track the remote server's IP address that provides a bad login. I also had this requirement and switched from using Tomcat's built-in authentication and authorization to using Securityfilter (securityfilter.sourceforge.net). You can implement your own Realm (which I did, which looks a lot like Tomcat's DataSourceRealm) and you have your choice of interfaces: one that looks like Tomcat's realm (just username + password), or a more useful one that simply takes a request object. Using this more useful interface, you can write your own realm that is capable or logging failed logins including IP address. What's nice about using securityfilter instead of writing your own Tomcat realms is that they are portable across app servers as well as releases of Tomcat (because the API is not frozen from major release to major release of Tomcat). I'd be happy to share code with you if you're interested. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHJzET9CaO5/Lv0PARAoVVAJ9dLVf6h5y/R8iQDt89G3J2sVpwsgCgvG4l tGdJtyrM86189rLmPlgDpqo= =Djip -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tracking Authentication rejects in Tomcat 5.5
I'm using Tomcat 5.5 and using dataSourceRealm to do authentication. I need to track bad logins. In particular, I want to track any logins where the password is wrong. I also want to track the remote server's IP address that provides a bad login. It appears that I can track bad logins by creating a class derived from dataSourceRealm and then overriding the authenticate() methods. I'll then make the call to dataSourceRealm's authenticate, check for null as the return and conclude it's a bad login if it is null. I can then track the info from there. However, I don't know how to get the remote server's IP address (request.getRemoteAddr()). Does anyone have a suggestion? Does the general approach seem reasonable? Scott
Re: Tracking Authentication rejects in Tomcat 5.5
Hi, Does anyone have a suggestion? Does the general approach seem reasonable? We have similar requirements, but at the moment we are using a subclass of JDBCRealm, here is our authenticate method: @Override public Principal authenticate(Connection connection, String userName, String credentials) { LoginInfo loginInfoData = new LoginInfo( userName, credentials ); loginInfo.set( loginInfoData ); try{ if( getCaseInsensitiveLogin() ) userName = userName.toUpperCase(); Principal principal = super.authenticate( connection, userName, credentials ); // if login failed if( principal == null ) recordFailureLogon( connection, userName, credentials ); else recordSuccessfulLogon( connection, userName ); return principal; }catch(SQLException e){ e.printStackTrace(); return null; } } where recordFailureLogin has the following signature: protected void recordFailureLogon(Connection connection, String userName, String credentials) throws SQLException If you find a way of recording the remote IP address I'd love to hear how you did it Thanks, Kev - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tracking Authentication rejects in Tomcat 5.5
I found this tonight. It looks promising. http://sourceforge.net/projects/lockout-realm It appears he has the HttpServletRequest object available and that means you can do a getRemoteAddr(). So, I haven't played with it, but... Scott From: Kevin Jackson [mailto:[EMAIL PROTECTED] Sent: Mon 10/29/2007 10:03 PM To: Tomcat Users List Subject: Re: Tracking Authentication rejects in Tomcat 5.5 Hi, Does anyone have a suggestion? Does the general approach seem reasonable? We have similar requirements, but at the moment we are using a subclass of JDBCRealm, here is our authenticate method: @Override public Principal authenticate(Connection connection, String userName, String credentials) { LoginInfo loginInfoData = new LoginInfo( userName, credentials ); loginInfo.set( loginInfoData ); try{ if( getCaseInsensitiveLogin() ) userName = userName.toUpperCase(); Principal principal = super.authenticate( connection, userName, credentials ); // if login failed if( principal == null ) recordFailureLogon( connection, userName, credentials ); else recordSuccessfulLogon( connection, userName ); return principal; }catch(SQLException e){ e.printStackTrace(); return null; } } where recordFailureLogin has the following signature: protected void recordFailureLogon(Connection connection, String userName, String credentials) throws SQLException If you find a way of recording the remote IP address I'd love to hear how you did it Thanks, Kev - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]