3 Replies Latest reply on May 24, 2004 9:24 AM by Scott Stark

    Disabling User in a JAAS-based J2EE application

    anis Newbie


      I have a working JAAS-based J2EE application. the login works using the j_security_check servlet.

      I want now to disable a user account if the user gives 3 times a wrong password.

      The problem is how/where to memorize the information about each login try?
      the first location where I get something is in my loginmodule. But there I have no possiblity to write in whatever context, for instance the application context.

      in the loginerror-page i donýt know who has made the wrong login try.

      Any ideas about this?

        • 1. Re: Disabling User in a JAAS-based J2EE application
          Scott Stark Master

          You would need to create a custom tomcat valve to track this info. Here is an example that make the j_username request attribute available to the session as a j_username attribute for use in the login/error pages.

          package org.jboss.sample.security;
          import java.io.IOException;
          import javax.servlet.ServletException;
          import javax.servlet.http.HttpServletRequest;
          import javax.servlet.http.HttpSession;
          import org.apache.catalina.valves.ValveBase;
          import org.apache.catalina.Request;
          import org.apache.catalina.Response;
          import org.apache.catalina.ValveContext;
          import org.apache.log4j.Logger;
          /** A valve that simply associates the j_username with the session
           * under the attribute name j_username for use by login.jsp/error.jsp
           * @author Scott.Stark@jboss.org
           * @version $Revision:$
          public class FormLoginValve
           extends ValveBase
           static Logger log = Logger.getLogger(FormLoginValve.class);
           public void invoke(Request request, Response response, ValveContext context)
           throws IOException, ServletException
           HttpServletRequest httpRequest = (HttpServletRequest) request.getRequest();
           String username = httpRequest.getParameter("j_username");
           HttpSession session = httpRequest.getSession(false);
           log.info("Entry, username: "+username+", session:"+session);
           if( session != null )
           session.setAttribute("j_username", username);
           context.invokeNext(request, response);
           username = httpRequest.getParameter("j_username");
           session = httpRequest.getSession(false);
           log.info("Exit, username: "+username+", session:"+session);
           if( session != null )
           log.info("SessionID: "+session.getId());
           Integer tries = (Integer) session.getAttribute("LOGIN_RETRIES");
           log.info("LOGIN_RETRIES: "+tries);
           if( username != null )
           session.setAttribute("j_username", username);

          It would be added to the jbossweb-tomcat.sar/META-INF/jboss-service.xml Config attribute like:

           <attribute name="Config">
           <Service name = "JBoss-Tomcat">
           <Engine name="MainEngine" defaultHost="localhost">
           <Logger className = "org.jboss.web.catalina.Log4jLogger"
           verbosityLevel = "debug" category = "org.jboss.web.localhost.Engine"/>
           <Host name="localhost">
           <!-- Access logger -->
           <Valve className = "org.apache.catalina.valves.AccessLogValve"
           prefix = "localhost_access" suffix = ".log"
           pattern = "common" directory = "${jboss.server.home.dir}/log" />
           <Valve className = "org.jboss.sample.FormLoginValve" />
           <!-- Default context parameters -->
           <DefaultContext cookies = "true" crossContext = "true" override = "true" />

          • 2. Re: Disabling User in a JAAS-based J2EE application
            Senthil Kumar M Rangaswamy Newbie

            Can u please tell me where to place this class. means in which jar file. can i have it in my own .ear file, but when i do this it shows an error. that class not found.

            Thanks in advance

            • 3. Re: Disabling User in a JAAS-based J2EE application
              Scott Stark Master

              It has to be in either the server/xxx/lib directory or in the tomcat service sar directory. I cannot be in the application deployment.