在Tomcat中检测领域身份验证失败的原因 [英] Detect a realm authentication failure reason in Tomcat
问题描述
我为Tomcat 7编写了一个自定义领域.我将其包装在由Tomcat的默认安装提供的锁定领域中.锁定功能可以正常工作,但是在我的web.xml中,我有
I wrote a custom Realm for Tomcat 7. I wrap it in the lockout Realm provided by the default installation of Tomcat. The lockout feature works fine, but in my web.xml, I have
<error-page>
<error-code>403</error-code>
<location>/forbidden.html</location>
</error-page>
会将所有未通过身份验证的用户定向到该页面.但是,如果被正确验证的用户被锁定,它还会将其重定向到该页面.当用户不正确的身份验证并被锁定时,是否可以通过某种方式检测到差异?
which will direct any users that do not authenticate to the page. However, it also redirects correctly authenticated users to the page if they are locked out. Is there someway I can detect the difference when a user incorrectly authenticates and is locked out?
推荐答案
它看起来并不容易.我的第一个想法是对LockOutRealm进行子类化,如果用户被锁定,则将其添加到请求上下文中,您可以稍后将其打印到用户界面.不幸的是,由于
It does not look easy. My first idea was subclassing the LockOutRealm and adding something to the request context if the user is locked out which you can print to the user interface later. Unfortunately it will not work because the authenticate methods of the LockOutRealm just got the login and password and there is no request or context objects there.
另一个问题是,当身份验证失败时,authenticate方法将返回null,而LockOutRealm也会这样做.
验证失败时,LockOutRealm的行为与任何其他领域的行为没有区别.
Another problem is that the authenticate methods returns null when the authentication failed and LockOutRealm also does that.
There is no difference between the behavior of the LockOutRealm and the behavior of any other realm when the authentication failed.
A workaround: If you are using Servlet 3.0 use the login method of the HttpServletRequest interface, implement the lockout logic yourself and check the count of failed login attempts before your servlets call the HttpServletRequest.login()
. If it's higher than the limit don't call the login() and print a custom error message.
这篇关于在Tomcat中检测领域身份验证失败的原因的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
