Re: Tracking Authentication rejects in Tomcat 5.5

2007-10-30 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Scott and Kevin,

Scott Smith wrote:
 I'm using Tomcat 5.5 and using dataSourceRealm to do authentication.  I
 need to track bad logins.  In particular, I want to track any logins
 where the password is wrong.  I also want to track the remote server's
 IP address that provides a bad login.

I also had this requirement and switched from using Tomcat's built-in
authentication and authorization to using Securityfilter
(securityfilter.sourceforge.net). You can implement your own Realm
(which I did, which looks a lot like Tomcat's DataSourceRealm) and you
have your choice of interfaces: one that looks like Tomcat's realm (just
username + password), or a more useful one that simply takes a request
object.

Using this more useful interface, you can write your own realm that is
capable or logging failed logins including IP address.

What's nice about using securityfilter instead of writing your own
Tomcat realms is that they are portable across app servers as well as
releases of Tomcat (because the API is not frozen from major release to
major release of Tomcat).

I'd be happy to share code with you if you're interested.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHJzET9CaO5/Lv0PARAoVVAJ9dLVf6h5y/R8iQDt89G3J2sVpwsgCgvG4l
tGdJtyrM86189rLmPlgDpqo=
=Djip
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tracking Authentication rejects in Tomcat 5.5

2007-10-29 Thread Scott Smith 
I'm using Tomcat 5.5 and using dataSourceRealm to do authentication.  I
need to track bad logins.  In particular, I want to track any logins
where the password is wrong.  I also want to track the remote server's
IP address that provides a bad login.

 

It appears that I can track bad logins by creating a class derived from
dataSourceRealm and then overriding the authenticate() methods.  I'll
then make the call to dataSourceRealm's authenticate, check for null as
the return and conclude it's a bad login if it is null.  I can then
track the info from there.  However, I don't know how to get the remote
server's IP address (request.getRemoteAddr()).  

 

Does anyone have a suggestion?  Does the general approach seem
reasonable?

 

Scott

Re: Tracking Authentication rejects in Tomcat 5.5

2007-10-29 Thread Kevin Jackson 
Hi,

 Does anyone have a suggestion?  Does the general approach seem
 reasonable?

We have similar requirements, but at the moment we are using a
subclass of JDBCRealm, here is our authenticate method:

@Override
public Principal authenticate(Connection connection, String userName,
String credentials) {
LoginInfo loginInfoData = new LoginInfo( userName, credentials 
);
loginInfo.set( loginInfoData );

try{

if( getCaseInsensitiveLogin() )
userName = userName.toUpperCase();

Principal principal = super.authenticate( connection, 
userName,
credentials );

// if login failed
if( principal == null )
recordFailureLogon( connection, userName, 
credentials );
else
recordSuccessfulLogon( connection, userName );

return principal;
}catch(SQLException e){
e.printStackTrace();
return null;
}
}

where recordFailureLogin has the following signature:

protected void recordFailureLogon(Connection connection, String
userName, String credentials) throws SQLException

If you find a way of recording the remote IP address I'd love to hear
how you did it

Thanks,
Kev

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Tracking Authentication rejects in Tomcat 5.5

2007-10-29 Thread Scott Smith 
I found this tonight.  It looks promising.
 
http://sourceforge.net/projects/lockout-realm
 
It appears he has the HttpServletRequest object available and that means you 
can do a getRemoteAddr().
 
So, I haven't played with it, but...
 
Scott



From: Kevin Jackson [mailto:[EMAIL PROTECTED]
Sent: Mon 10/29/2007 10:03 PM
To: Tomcat Users List
Subject: Re: Tracking Authentication rejects in Tomcat 5.5



Hi,

 Does anyone have a suggestion?  Does the general approach seem
 reasonable?

We have similar requirements, but at the moment we are using a
subclass of JDBCRealm, here is our authenticate method:

@Override
public Principal authenticate(Connection connection, String userName,
String credentials) {
LoginInfo loginInfoData = new LoginInfo( userName, credentials 
);
loginInfo.set( loginInfoData );

try{
   
if( getCaseInsensitiveLogin() )
userName = userName.toUpperCase();
   
Principal principal = super.authenticate( connection, 
userName,
credentials );

// if login failed
if( principal == null )
recordFailureLogon( connection, userName, 
credentials );
else
recordSuccessfulLogon( connection, userName );
   
return principal;
}catch(SQLException e){
e.printStackTrace();
return null;
}
}

where recordFailureLogin has the following signature:

protected void recordFailureLogon(Connection connection, String
userName, String credentials) throws SQLException

If you find a way of recording the remote IP address I'd love to hear
how you did it

Thanks,
Kev

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]