Wednesday, May 12, 2004 08:24 AM
Ideally, you would implement this at the security realm level. You would need to implement, or extend an existing, security realm class for your container. Presumably it could store and reset the number of consecutive failed logins, and also lock the account when needed.
The problem after that, with container-managed security, is that it is difficult for the realm to communicate why a user's login failed -- wrong password, or account locked?
If you have to differentiate between the two for a user, yes you need something beyond the security realm, and you need to know the user name. In your container, can you get the value of the "j_username" request parameter? I don't think that will give a value on all containers. Alternatively you can snoop into the user session and find the container-specific object that holds all of this info, like username, what page the user originally requested, etc., and read that. That is a hack, and obviously ties you to your container, but should work.
As Sun moves the J2EE security model to be more JAAS-based, it should become more flexible, and hopefully these problems will go away.