Thursday, March 22, 2007

Returning login failure reason in a Tomcat Realm

When Tomcat Realm authenticates a user via its Realm, there is no way for the Realm to tell the application the exact reason of a failure. The realm either succeeds and returns a Principal object or fails and returns null. So, when I needed to implement account lockout after several unsuccessful logins, I couldn't show the user the difference between a wrong password and account being locked out.

Digging deeper into Tomcat code, I found that the Realm is being invoked from FormAuthenticator Valve. It is possible to extend the Valve so that in case of authentication failure, the Valve adds failure reason as an HttpServletRequest attribute. More details in ExtendedStatusFormAuthenticator code.

1 comment:

Unknown said...

How do you register this new valve? What I did is edit server.xml, find the Engine element, and underneath it is a Realm element, so just before the Realm element as a direct child of Engine I inserted

Valve className="com.ofc.tomcat.ExtendedStatusFormAuthenticator"/

But Tomcat throws an error when starting up. The error regards a parse exception of server.xml.