with all that said, I think the best option for you is to
- create an extension of the current realm instead of patching the
existing one
- submit the code
- and if everyone thinks its useful, the code looks good, we can add it
to Tomcat and let the user decide if they wanna use it
but I don't think modifying the existing realm is gonna fly, many people
are using it, and if it isn't 100% compatible with what it is today,
then no patch will be accepted.
Filip
Benjamin Cuthbert wrote:
Those are very valid questions.
1. Yes so i guess there could be a default value in the code so that
it could always be set to 3 unless
set by the admin.
2. I am not sure how to handle this, as if you only had read access
to the database then there would be no
way to set this up, unless you created some sort of hashmap in the
code to store which users
were locked and which were not.
3. I was just thinking of using the standard log file output. did you
have something else in mind ?
Regards
On 1 May 2006, at 20:44, Filip Hanik - Dev Lists wrote:
sounds like a useful feature, are you considering
1. That the feature must be 100% backwards compatible, ie work if
they dont specify the column or the column doesn't exist
2. That some database admins might only give you a read only
connection, so the column exists but is not writable
3. How to alert a sysadmin if a user has been locked out
Filip
Benjamin Cuthbert wrote:
All
I am trying to improve the security for authenticating users on my
JDBC realm. What we require is the ability to lock out accounts on
the database
when a user enters more than 3 incorrect passwords. Now i have made
some changes to the JDBCRealm.java and i would like some comments
on the features that i have added. Could someone from the tomcat
team have a look at the attached code and configuration file and let me
know if this is the correct way to go about doing this.
Changes -
authenticate : Adding in a counter to check how many times a user
gets the incorrect password from the database.
LockAccount : new method to handle the update to the database so
that accounts can be locked.
Testing -
I have tested this on OSX as that is the system i use, but i am
going to do some further testing on linux as that is what the server
application is installed on.
server.xml config would be
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://localhost/tomcat"
connectionName="tomcat" connectionPassword="tomcat"
userTable="users" userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name"
accstatusCol="accountstatus" acclockouttry="3"/>
------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
