On Thu, Apr 8, 2021 at 1:38 PM Christopher Schultz <ch...@christopherschultz.net> wrote: > > I have some sketches of something like this literally on paper somewhere > around here to create an interface for applications subscribe to > authentication events. It would, for example, allow you to write a > "failed login" record to your database that includes not only the user's > username who failed, but also their IP address (which comes from the > request, of course. > > Would that kind of thing help in your use-case?
I'm looking for a way to give more information back to the user if their account is locked or not... Right now it's very generic and that is good from a security perspective, but I need to be able to tell the user that their account is locked after so many attempts and they will need to take action to unlock it. I found this on the web: https://stackoverflow.com/questions/7584208/detect-a-realm-authentication-failure-reason-in-tomcat Is the "com.ofc.tomcat.LOGIN_FAILURE_MESSAGE" still around in Tomcat 9? Not sure how to use it even if it way... As mentioned in that url, doing a pre-login of sorts before calling HttpServletRequest.login() may be a workaround to accomplish this, but then I would need to call my backend authentication service twice for each login. -Tim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org