dcsimg
How to retrieve the username after a failed login in container-based authentication?
2 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Zdenek_Nejedly
Posted On:   Monday, May 10, 2004 02:01 PM

I need to implement account locking after n-failed attempts with the given username.



This is not a problem in application-managed authentication but in case of the container-managed security I have access to the username ONLY if the login was successful (getUserPrincipal and getRemoteUser). Would anybody know how to retrieve the username if the login failed? It does not seem to be stored in any scope.

Re: How to retrieve the username after a failed login in container-based authentication?

Posted By:   Sean_Owen  
Posted On:   Wednesday, May 12, 2004 08:24 AM

Ideally, you would implement this at the security realm level. You would need to implement, or extend an existing, security realm class for your container. Presumably it could store and reset the number of consecutive failed logins, and also lock the account when needed.



The problem after that, with container-managed security, is that it is difficult for the realm to communicate why a user's login failed -- wrong password, or account locked?



If you have to differentiate between the two for a user, yes you need something beyond the security realm, and you need to know the user name. In your container, can you get the value of the "j_username" request parameter? I don't think that will give a value on all containers. Alternatively you can snoop into the user session and find the container-specific object that holds all of this info, like username, what page the user originally requested, etc., and read that. That is a hack, and obviously ties you to your container, but should work.



As Sun moves the J2EE security model to be more JAAS-based, it should become more flexible, and hopefully these problems will go away.

Re: How to retrieve the username after a failed login in container-based authentication?

Posted By:   Christopher_Koenigsberg  
Posted On:   Monday, May 10, 2004 02:47 PM

That's one reason why we didn't get into container-managed security yet...

About | Sitemap | Contact