3 Replies Latest reply on May 24, 2004 9:24 AM by starksm64

Disabling User in a JAAS-based J2EE application

anbenham May 13, 2004 3:14 AM

Hi,

I have a working JAAS-based J2EE application. the login works using the j_security_check servlet.

I want now to disable a user account if the user gives 3 times a wrong password.

The problem is how/where to memorize the information about each login try?
the first location where I get something is in my loginmodule. But there I have no possiblity to write in whatever context, for instance the application context.

in the loginerror-page i donýt know who has made the wrong login try.

Any ideas about this?

1. Re: Disabling User in a JAAS-based J2EE application

starksm64 May 14, 2004 11:39 AM (in response to anbenham)

You would need to create a custom tomcat valve to track this info. Here is an example that make the j_username request attribute available to the session as a j_username attribute for use in the login/error pages.

package org.jboss.sample.security;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

import org.apache.catalina.valves.ValveBase;
import org.apache.catalina.Request;
import org.apache.catalina.Response;
import org.apache.catalina.ValveContext;
import org.apache.log4j.Logger;

/** A valve that simply associates the j_username with the session
 * under the attribute name j_username for use by login.jsp/error.jsp
 *
 * @author Scott.Stark@jboss.org
 * @version $Revision:$
 */
public class FormLoginValve
 extends ValveBase
{
 static Logger log = Logger.getLogger(FormLoginValve.class);

 public void invoke(Request request, Response response, ValveContext context)
 throws IOException, ServletException
 {
 HttpServletRequest httpRequest = (HttpServletRequest) request.getRequest();
 String username = httpRequest.getParameter("j_username");
 HttpSession session = httpRequest.getSession(false);
 log.info("Entry, username: "+username+", session:"+session);
 if( session != null )
 session.setAttribute("j_username", username);

 context.invokeNext(request, response);

 username = httpRequest.getParameter("j_username");
 session = httpRequest.getSession(false);
 log.info("Exit, username: "+username+", session:"+session);
 if( session != null )
 {
 log.info("SessionID: "+session.getId());
 Integer tries = (Integer) session.getAttribute("LOGIN_RETRIES");
 log.info("LOGIN_RETRIES: "+tries);
 if( username != null )
 session.setAttribute("j_username", username);
 }
 }
}

It would be added to the jbossweb-tomcat.sar/META-INF/jboss-service.xml Config attribute like:

 <attribute name="Config">
 <Server>
 <Service name = "JBoss-Tomcat">
 <Engine name="MainEngine" defaultHost="localhost">
 <Logger className = "org.jboss.web.catalina.Log4jLogger"
 verbosityLevel = "debug" category = "org.jboss.web.localhost.Engine"/>
 <Host name="localhost">

 <!-- Access logger -->
 <Valve className = "org.apache.catalina.valves.AccessLogValve"
 prefix = "localhost_access" suffix = ".log"
 pattern = "common" directory = "${jboss.server.home.dir}/log" />
 <Valve className = "org.jboss.sample.FormLoginValve" />

 <!-- Default context parameters -->
 <DefaultContext cookies = "true" crossContext = "true" override = "true" />

 </Host>
 </Engine>
...

2. Re: Disabling User in a JAAS-based J2EE application

tosenthu May 24, 2004 2:28 AM (in response to anbenham)

Can u please tell me where to place this class. means in which jar file. can i have it in my own .ear file, but when i do this it shows an error. that class not found.

Thanks in advance
Actions
3. Re: Disabling User in a JAAS-based J2EE application

starksm64 May 24, 2004 9:24 AM (in response to anbenham)

It has to be in either the server/xxx/lib directory or in the tomcat service sar directory. I cannot be in the application deployment.
Actions

Go to original post