Discussion:
user lockout realm, logging ip addresses
Alex O'Ree
2018-08-18 01:58:04 UTC
Permalink
Is it possible to configure the user lockout realm to log what ip address
the failed login attempt came from? I know the information needed will also
be in the access log but added it to the "attempt to login from a locked
account" message would be super helpful. Would it be more advisable to
extend the existing lockout realm and modify the log statements myself?
Olaf Kock
2018-08-18 09:36:36 UTC
Permalink
Post by Alex O'Ree
Is it possible to configure the user lockout realm to log what ip address
the failed login attempt came from? I know the information needed will also
be in the access log but added it to the "attempt to login from a locked
account" message would be super helpful. Would it be more advisable to
extend the existing lockout realm and modify the log statements myself?
Looking at the source here:
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/realm/LockOutRealm.java#L216
and here:
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/realm/LocalStrings.properties#L91,
you can't configure it. But the realm is simple and you can roll your own.

Is it advisable? If you want that information in this log message: It
might be your only option. You'll have to decide how intensely you'd
like to have it.

Olaf

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Mark Thomas
2018-08-18 09:46:10 UTC
Permalink
Post by Olaf Kock
Post by Alex O'Ree
Is it possible to configure the user lockout realm to log what ip address
the failed login attempt came from? I know the information needed will also
be in the access log but added it to the "attempt to login from a locked
account" message would be super helpful. Would it be more advisable to
extend the existing lockout realm and modify the log statements myself?
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/realm/LockOutRealm.java#L216
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/realm/LocalStrings.properties#L91,
you can't configure it. But the realm is simple and you can roll your own.
Is it advisable? If you want that information in this log message: It
might be your only option. You'll have to decide how intensely you'd
like to have it.
You need this too:
https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Christopher Schultz
2018-08-18 11:59:08 UTC
Permalink
Mark and Alex,
Post by Mark Thomas
Post by Olaf Kock
Post by Alex O'Ree
Is it possible to configure the user lockout realm to log what ip address
the failed login attempt came from? I know the information needed will also
be in the access log but added it to the "attempt to login from a locked
account" message would be super helpful. Would it be more advisable to
extend the existing lockout realm and modify the log statements myself?
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/realm/LockOutRealm.java#L216
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/realm/LocalStrings.properties#L91,
you can't configure it. But the realm is simple and you can roll your own.
Is it advisable? If you want that information in this log message: It
might be your only option. You'll have to decide how intensely you'd
like to have it.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
I still fully intend to flesh this out.

Gotta finish a big project at $work first though.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Alex O'Ree
2018-08-18 12:20:18 UTC
Permalink
Cool beans. I can do a PR if there's interest.

On Sat, Aug 18, 2018 at 7:59 AM, Christopher Schultz <
Post by Christopher Schultz
Mark and Alex,
Post by Mark Thomas
Post by Olaf Kock
Post by Alex O'Ree
Is it possible to configure the user lockout realm to log what ip
address
Post by Mark Thomas
Post by Olaf Kock
Post by Alex O'Ree
the failed login attempt came from? I know the information needed will also
be in the access log but added it to the "attempt to login from a
locked
Post by Mark Thomas
Post by Olaf Kock
Post by Alex O'Ree
account" message would be super helpful. Would it be more advisable to
extend the existing lockout realm and modify the log statements myself?
https://github.com/apache/tomcat/blob/trunk/java/org/
apache/catalina/realm/LockOutRealm.java#L216
Post by Mark Thomas
Post by Olaf Kock
https://github.com/apache/tomcat/blob/trunk/java/org/
apache/catalina/realm/LocalStrings.properties#L91,
Post by Mark Thomas
Post by Olaf Kock
you can't configure it. But the realm is simple and you can roll your
own.
Post by Mark Thomas
Post by Olaf Kock
Is it advisable? If you want that information in this log message: It
might be your only option. You'll have to decide how intensely you'd
like to have it.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
I still fully intend to flesh this out.
Gotta finish a big project at $work first though.
-chris
---------------------------------------------------------------------
Alex O'Ree
2018-08-18 13:58:23 UTC
Permalink
after looking at the code, it's not a simple 1 liner and would require a
number of api changes. I was able to get it working, but it is a large
change set. Anyone that extends or builds a custom one of these:
-Realm
-AuthenticatorBase
requires some changes. They are quick to make but it's a large impact. I'm
not sure how this community feels about API changes and backwards
compatibility.

For the PR, do you all have a branch naming strategy?
Post by Alex O'Ree
Cool beans. I can do a PR if there's interest.
On Sat, Aug 18, 2018 at 7:59 AM, Christopher Schultz <
Post by Christopher Schultz
Mark and Alex,
Post by Mark Thomas
Post by Olaf Kock
Post by Alex O'Ree
Is it possible to configure the user lockout realm to log what ip
address
Post by Mark Thomas
Post by Olaf Kock
Post by Alex O'Ree
the failed login attempt came from? I know the information needed will also
be in the access log but added it to the "attempt to login from a
locked
Post by Mark Thomas
Post by Olaf Kock
Post by Alex O'Ree
account" message would be super helpful. Would it be more advisable to
extend the existing lockout realm and modify the log statements
myself?
Post by Mark Thomas
Post by Olaf Kock
https://github.com/apache/tomcat/blob/trunk/java/org/apache/
catalina/realm/LockOutRealm.java#L216
Post by Mark Thomas
Post by Olaf Kock
https://github.com/apache/tomcat/blob/trunk/java/org/apache/
catalina/realm/LocalStrings.properties#L91,
Post by Mark Thomas
Post by Olaf Kock
you can't configure it. But the realm is simple and you can roll your
own.
Post by Mark Thomas
Post by Olaf Kock
Is it advisable? If you want that information in this log message: It
might be your only option. You'll have to decide how intensely you'd
like to have it.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
I still fully intend to flesh this out.
Gotta finish a big project at $work first though.
-chris
---------------------------------------------------------------------
Alex O'Ree
2018-08-18 21:28:30 UTC
Permalink
Ok, I've picked up Chris's patch and was able to cobble together something.
Is there any guidance as to how a web app can subscribe to something like
this? I was thinking a singleton class with a register/unregister, but I'm
not sure how the tc community feels about singletons. It could also cause
some issues with webapps unloading and causing classloader leaks. It would
probably be better to have a registration hook somewhere in catalina
servlet land. Basically a webapp can cast the servlet context to a tomcat
class then register it's own listener. Standard context perhaps?
Post by Alex O'Ree
after looking at the code, it's not a simple 1 liner and would require a
number of api changes. I was able to get it working, but it is a large
-Realm
-AuthenticatorBase
requires some changes. They are quick to make but it's a large impact. I'm
not sure how this community feels about API changes and backwards
compatibility.
For the PR, do you all have a branch naming strategy?
Post by Alex O'Ree
Cool beans. I can do a PR if there's interest.
On Sat, Aug 18, 2018 at 7:59 AM, Christopher Schultz <
Post by Christopher Schultz
Mark and Alex,
Post by Mark Thomas
Post by Olaf Kock
Post by Alex O'Ree
Is it possible to configure the user lockout realm to log what ip
address
Post by Mark Thomas
Post by Olaf Kock
Post by Alex O'Ree
the failed login attempt came from? I know the information needed
will
Post by Mark Thomas
Post by Olaf Kock
Post by Alex O'Ree
also
be in the access log but added it to the "attempt to login from a
locked
Post by Mark Thomas
Post by Olaf Kock
Post by Alex O'Ree
account" message would be super helpful. Would it be more advisable
to
Post by Mark Thomas
Post by Olaf Kock
Post by Alex O'Ree
extend the existing lockout realm and modify the log statements
myself?
Post by Mark Thomas
Post by Olaf Kock
https://github.com/apache/tomcat/blob/trunk/java/org/apache/
catalina/realm/LockOutRealm.java#L216
Post by Mark Thomas
Post by Olaf Kock
https://github.com/apache/tomcat/blob/trunk/java/org/apache/
catalina/realm/LocalStrings.properties#L91,
Post by Mark Thomas
Post by Olaf Kock
you can't configure it. But the realm is simple and you can roll your
own.
Post by Mark Thomas
Post by Olaf Kock
Is it advisable? If you want that information in this log message: It
might be your only option. You'll have to decide how intensely you'd
like to have it.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
I still fully intend to flesh this out.
Gotta finish a big project at $work first though.
-chris
---------------------------------------------------------------------
Loading...