On Wed, 3 Oct 2001, Martin Scheerer wrote:
> Date: Wed, 3 Oct 2001 17:54:34 +0200
> From: Martin Scheerer <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: How do I know what security manager is in use?
>
> Am Dienstag, 2. Oktober 2001 19:04 schrieben Sie:
> [...]
> >
> > > I am writing some general support classes to manage users and
> > > roles. To support a call like addUser() I need to know which
> > > security manager is in use so I can do the right thing.
> > > Doing things like checking for tomcat-usrs.xml or a particular
> > > security class don't seem adequate.
> >
> > You should not be using MemoryRealm for a production application.
> >
> > A completely separate approach would be to write a regular webapp that
> > talks directly to the underlying database (or directory server) containing
> > your authentication data. Any new user that you add, for example, is
> > immediately recognized -- there is no real reason to mess around with the
> > internal Realm implementation class at all.
>
> We needed for a project the abbility to show the user why the athentification
> wasn�t succesful (wrong passwd, unknown username,...).
This is information you really would not want to tell someone trying to
hack in to your site.
> And after three failed tries the account should be disabled.
>
To do something like this, you'd definitely need to modify the Tomcat
code. I would think, though, that you'd want to modify the Authenticator,
rather than the Realm - testing whether authentication has failed three
times is the same no matter which realm you are actually using underneath.
> For the first problem we found no easy solution, the second problem was
> solved by hacking the JDBCRealm.
>
> Is this a "real reason" to mess around with the internal Realm? Or we�ve
> taken the wrong way?
>
>
> Greetings
> Martin
>
Craig
