Simon, > Has anyone done anything with tomcat authorisation to configure in a > maximum number of retries before an address/account is blocked.
I'm pretty sure that Tomcat's authentication system does not support this feature. You could probably write your own authenticator to track that kind of thing. I am going to be adding the same type of feature to an authenticator I wrote to be used with securityfilter (http://securityfilter.sourceforge.net/). My plan is to use something like a synchronized time-sensitive cache of login failures (probably something from the commons-collections package such as LRUMap) to store login failures (keyed on username). I'll probably do the same thing with remote IP address as well (3 failures from the same IP will block future logins). The only trick is expiring entries ;) Let me know if you have any better ideas. I'd love to hear about them. -chris
signature.asc
Description: OpenPGP digital signature
