You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Benjamin Cuthbert <be...@yahoo.co.uk> on 2006/05/01 21:33:58 UTC
Security on JDBC Realm new features
All
I am trying to improve the security for authenticating users on my
JDBC realm. What we require is the ability to lock out accounts on
the database
when a user enters more than 3 incorrect passwords. Now i have made
some changes to the JDBCRealm.java and i would like some comments
on the features that i have added. Could someone from the tomcat team
have a look at the attached code and configuration file and let me
know if this is the correct way to go about doing this.
Changes -
authenticate : Adding in a counter to check how many times a user
gets the incorrect password from the database.
LockAccount : new method to handle the update to the database so that
accounts can be locked.
Testing -
I have tested this on OSX as that is the system i use, but i am going
to do some further testing on linux as that is what the server
application is installed on.
server.xml config would be
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://localhost/tomcat"
connectionName="tomcat" connectionPassword="tomcat"
userTable="users" userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name"
accstatusCol="accountstatus" acclockouttry="3"/>
Re: Security on JDBC Realm new features
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
with all that said, I think the best option for you is to
- create an extension of the current realm instead of patching the
existing one
- submit the code
- and if everyone thinks its useful, the code looks good, we can add it
to Tomcat and let the user decide if they wanna use it
but I don't think modifying the existing realm is gonna fly, many people
are using it, and if it isn't 100% compatible with what it is today,
then no patch will be accepted.
Filip
Benjamin Cuthbert wrote:
> Those are very valid questions.
>
> 1. Yes so i guess there could be a default value in the code so that
> it could always be set to 3 unless
> set by the admin.
> 2. I am not sure how to handle this, as if you only had read access
> to the database then there would be no
> way to set this up, unless you created some sort of hashmap in the
> code to store which users
> were locked and which were not.
> 3. I was just thinking of using the standard log file output. did you
> have something else in mind ?
>
> Regards
>
>
> On 1 May 2006, at 20:44, Filip Hanik - Dev Lists wrote:
>
>> sounds like a useful feature, are you considering
>>
>> 1. That the feature must be 100% backwards compatible, ie work if
>> they dont specify the column or the column doesn't exist
>> 2. That some database admins might only give you a read only
>> connection, so the column exists but is not writable
>> 3. How to alert a sysadmin if a user has been locked out
>>
>> Filip
>>
>>
>> Benjamin Cuthbert wrote:
>>> All
>>>
>>> I am trying to improve the security for authenticating users on my
>>> JDBC realm. What we require is the ability to lock out accounts on
>>> the database
>>> when a user enters more than 3 incorrect passwords. Now i have made
>>> some changes to the JDBCRealm.java and i would like some comments
>>> on the features that i have added. Could someone from the tomcat
>>> team have a look at the attached code and configuration file and let me
>>> know if this is the correct way to go about doing this.
>>>
>>> Changes -
>>>
>>> authenticate : Adding in a counter to check how many times a user
>>> gets the incorrect password from the database.
>>> LockAccount : new method to handle the update to the database so
>>> that accounts can be locked.
>>>
>>> Testing -
>>>
>>> I have tested this on OSX as that is the system i use, but i am
>>> going to do some further testing on linux as that is what the server
>>> application is installed on.
>>>
>>> server.xml config would be
>>>
>>>
>>> <Realm className="org.apache.catalina.realm.JDBCRealm"
>>> driverName="org.gjt.mm.mysql.Driver"
>>> connectionURL="jdbc:mysql://localhost/tomcat"
>>> connectionName="tomcat" connectionPassword="tomcat"
>>> userTable="users" userNameCol="user_name"
>>> userCredCol="user_pass"
>>> userRoleTable="user_roles" roleNameCol="role_name"
>>> accstatusCol="accountstatus" acclockouttry="3"/>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Security on JDBC Realm new features
Posted by Benjamin Cuthbert <be...@yahoo.co.uk>.
Those are very valid questions.
1. Yes so i guess there could be a default value in the code so that
it could always be set to 3 unless
set by the admin.
2. I am not sure how to handle this, as if you only had read access
to the database then there would be no
way to set this up, unless you created some sort of hashmap in
the code to store which users
were locked and which were not.
3. I was just thinking of using the standard log file output. did you
have something else in mind ?
Regards
On 1 May 2006, at 20:44, Filip Hanik - Dev Lists wrote:
> sounds like a useful feature, are you considering
>
> 1. That the feature must be 100% backwards compatible, ie work if
> they dont specify the column or the column doesn't exist
> 2. That some database admins might only give you a read only
> connection, so the column exists but is not writable
> 3. How to alert a sysadmin if a user has been locked out
>
> Filip
>
>
> Benjamin Cuthbert wrote:
>> All
>>
>> I am trying to improve the security for authenticating users on my
>> JDBC realm. What we require is the ability to lock out accounts on
>> the database
>> when a user enters more than 3 incorrect passwords. Now i have
>> made some changes to the JDBCRealm.java and i would like some
>> comments
>> on the features that i have added. Could someone from the tomcat
>> team have a look at the attached code and configuration file and
>> let me
>> know if this is the correct way to go about doing this.
>>
>> Changes -
>>
>> authenticate : Adding in a counter to check how many times a user
>> gets the incorrect password from the database.
>> LockAccount : new method to handle the update to the database so
>> that accounts can be locked.
>>
>> Testing -
>>
>> I have tested this on OSX as that is the system i use, but i am
>> going to do some further testing on linux as that is what the server
>> application is installed on.
>>
>> server.xml config would be
>>
>>
>> <Realm className="org.apache.catalina.realm.JDBCRealm"
>> driverName="org.gjt.mm.mysql.Driver"
>> connectionURL="jdbc:mysql://localhost/tomcat"
>> connectionName="tomcat" connectionPassword="tomcat"
>> userTable="users" userNameCol="user_name"
>> userCredCol="user_pass"
>> userRoleTable="user_roles" roleNameCol="role_name"
>> accstatusCol="accountstatus" acclockouttry="3"/>
>>
>>
>> ---------------------------------------------------------------------
>> ---
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Security on JDBC Realm new features
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
sounds like a useful feature, are you considering
1. That the feature must be 100% backwards compatible, ie work if they
dont specify the column or the column doesn't exist
2. That some database admins might only give you a read only connection,
so the column exists but is not writable
3. How to alert a sysadmin if a user has been locked out
Filip
Benjamin Cuthbert wrote:
> All
>
> I am trying to improve the security for authenticating users on my
> JDBC realm. What we require is the ability to lock out accounts on the
> database
> when a user enters more than 3 incorrect passwords. Now i have made
> some changes to the JDBCRealm.java and i would like some comments
> on the features that i have added. Could someone from the tomcat team
> have a look at the attached code and configuration file and let me
> know if this is the correct way to go about doing this.
>
> Changes -
>
> authenticate : Adding in a counter to check how many times a user gets
> the incorrect password from the database.
> LockAccount : new method to handle the update to the database so that
> accounts can be locked.
>
> Testing -
>
> I have tested this on OSX as that is the system i use, but i am going
> to do some further testing on linux as that is what the server
> application is installed on.
>
> server.xml config would be
>
>
> <Realm className="org.apache.catalina.realm.JDBCRealm"
> driverName="org.gjt.mm.mysql.Driver"
> connectionURL="jdbc:mysql://localhost/tomcat"
> connectionName="tomcat" connectionPassword="tomcat"
> userTable="users" userNameCol="user_name"
> userCredCol="user_pass"
> userRoleTable="user_roles" roleNameCol="role_name"
> accstatusCol="accountstatus" acclockouttry="3"/>
>
>
> ------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org