Daniel Stephens wrote: > Need some help or advice.. > > For Security reasons, > We need to do logging for IP,username, etc(AUDIT). > We need to log success and failed attempts. > We don't want to modify the internal classes(unless it's impossible). > > We are using the FORM auth-method, we POST to j_security_check. We have > our own custom realm that extends RealmBase. All that works fine. Until we > try and report back to the browser why the authentication failed, to many > attempts, account expired etc..
The Tomcat API deliberately won't let you do that. It is bad security to explain why the authentication failed as it nearly always makes brute force attacks easier. > So my question is. Since the authentication occurs in the > Realm/FormAuthenticator, Has anyone been able to successfully extend this > class ( FormAuthenticator ), and implement this kind of concept? I have > found some examples online, but I have not been able to make them work. You would have to so some fairly serious surgery to the Tomcat internals to get this to work. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
