https://bz.apache.org/bugzilla/show_bug.cgi?id=63336
--- Comment #4 from jchobanto...@yahoo.com --- Thank you for pointing out that isLocked() and unlock() methods are public - I already know that. Even with this information I need to provide custom LockOutRealm in order to see the real reason why my form error page is been displayed And again I know I could provide Valves, extensions etc to fix that and I already did that for my application but I thought someone else could benefit from this as well As you are the one that provide LockOutRealm you could just add some extra information (either using request.setAttribute()) or some other ways so that in web application's form error page (jsp or whatever) you could be able to tell the user if there is a lockout or not if you choose to do so. I'm not aware how from we application error login page I could obtain the realm in order to ask isLocked() and the error page do not get the login user id to pass it to - even if this was possible it will make web application not portable across different app servers and we don't want that - we want to have a way to get this information preferably using the request attribute - then if the attribute is not standard (as there is no such thing in the servlet spec) we could use servlet init parameters to pass what is the name of the request attribute to look for and then our web applications will be more portable The issue is that right now unless I supply tomcat specific classes and configuration I can't develop application to tell me that And also just an example - amazon cognito also is using lockout if you have too many error login attempts and it will tell you that straight up - so a failed login could result because cognito also is in lockout - so I need to query JAASRealm somehow to see what is the condition there - too much things to check - it would be better if everyone participate - LockOutRealm, JAASRealm, JAAS modules to tell you why something happens - not to mention that you might want to have some ability in the error login page to log the reason why something happens in one place (probably some audit framework - not just a log message from LockOutRealm) - as there a many places why something happens - LockOutRealm, JAASRealm, modules, ldap realm etc it is better whoever report the error to put it in some standard place for us to consume -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
