Security on JDBC Realm new features

[Benjamin Cuthbert]

All

I am trying to improve the security for authenticating users on my  
JDBC realm. What we require is the ability to lock out accounts on  
the database
when a user enters more than 3 incorrect passwords. Now i have made  
some changes to the JDBCRealm.java and i would like some comments
on the features that i have added. Could someone from the tomcat team  
have a look at the attached code and configuration file and let me

know if this is the correct way to go about doing this.

Changes -

authenticate : Adding in a counter to check how many times a user  
gets the incorrect password from the database.
LockAccount : new method to handle the update to the database so that  
accounts can be locked.


Testing -

I have tested this on OSX as that is the system i use, but i am going  
to do some further testing on linux as that is what the server

application is installed on.

server.xml config would be


userTable="users" userNameCol="user_name"  
userCredCol="user_pass"

  userRoleTable="user_roles" roleNameCol="role_name"
  accstatusCol="accountstatus" acclockouttry="3"/>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Security on JDBC Realm new features

[Benjamin Cuthbert]

Those are very valid questions.

1. Yes so i guess there could be a default value in the code so that  
it could always be set to 3 unless

set by the admin.
2.  I am not sure how to handle this, as if you only had read access  
to the database then there would be no
   way to set this up, unless you created some sort of hashmap in  
the code to store which users

   were locked and which were not.
3. I was just thinking of using the standard log file output. did you  
have something else in mind ?


Regards


On 1 May 2006, at 20:44, Filip Hanik - Dev Lists wrote:


sounds like a useful feature, are you considering

1. That the feature must be 100% backwards compatible, ie work if  
they dont specify the column or the column doesn't exist
2. That some database admins might only give you a read only  
connection, so the column exists but is not writable

3. How to alert a sysadmin if a user has been locked out

Filip


Benjamin Cuthbert wrote:

All

I am trying to improve the security for authenticating users on my  
JDBC realm. What we require is the ability to lock out accounts on  
the database
when a user enters more than 3 incorrect passwords. Now i have  
made some changes to the JDBCRealm.java and i would like some  
comments
on the features that i have added. Could someone from the tomcat  
team have a look at the attached code and configuration file and  
let me

know if this is the correct way to go about doing this.

Changes -

authenticate : Adding in a counter to check how many times a user  
gets the incorrect password from the database.
LockAccount : new method to handle the update to the database so  
that accounts can be locked.


Testing -

I have tested this on OSX as that is the system i use, but i am  
going to do some further testing on linux as that is what the server

application is installed on.

server.xml config would be


userTable="users" userNameCol="user_name"  
userCredCol="user_pass"

  userRoleTable="user_roles" roleNameCol="role_name"
  accstatusCol="accountstatus" acclockouttry="3"/>


- 
---


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]