Setting a Request Attribute from a custom Realm

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Setting a Request Attribute from a custom Realm

Tim K
I have a custom realm which I'm receiving custom messages back within
the realm code and I want to display these messages on the login page,
but I have no idea how this can be accomplished with a custom realm
which is overriding the Principle authenticate method.  Any help would
be appreciated, Tomcat is version 9.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Setting a Request Attribute from a custom Realm

Christopher Schultz-2
Tim,

On 4/7/21 14:22, Tim K wrote:
> I have a custom realm which I'm receiving custom messages back within
> the realm code and I want to display these messages on the login page,
> but I have no idea how this can be accomplished with a custom realm
> which is overriding the Principle authenticate method.  Any help would
> be appreciated, Tomcat is version 9.

You can't, using the existing API.

You might be able to do it with some nasty ThreadLocal solution, but I
think you are stuck without resorting to legerdemain.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Setting a Request Attribute from a custom Realm

Tim K
On Wed, Apr 7, 2021, 3:43 PM Christopher Schultz <
[hidden email]> wrote:

> You can't, using the existing API.
>
> You might be able to do it with some nasty ThreadLocal solution, but I
> think you are stuck without resorting to legerdemain.
>
> -chris


Would it be possible to implement a new feature to the existing realm API
so it can accommodate messages passed back to the front end?  For example,
when using the LockoutRealm, is there from the front-end to alert the user
that they are actually locked out?

- Tim
Reply | Threaded
Open this post in threaded view
|

Re: Setting a Request Attribute from a custom Realm

Christopher Schultz-2
Tim,

On 4/8/21 09:11, Tim K wrote:

> On Wed, Apr 7, 2021, 3:43 PM Christopher Schultz <
> [hidden email]> wrote:
>
>> You can't, using the existing API.
>>
>> You might be able to do it with some nasty ThreadLocal solution, but I
>> think you are stuck without resorting to legerdemain.
>>
>> -chris
>
>
> Would it be possible to implement a new feature to the existing realm API
> so it can accommodate messages passed back to the front end?

I have some sketches of something like this literally on paper somewhere
around here to create an interface for applications subscribe to
authentication events. It would, for example, allow you to write a
"failed login" record to your database that includes not only the user's
username who failed, but also their IP address (which comes from the
request, of course.

Would that kind of thing help in your use-case?

> For example, when using the LockoutRealm, is there from the front-end
> to alert the user that they are actually locked out?
No, it doesn't do that. You simply get an authentication failure.

Something I hadn't considered was the potential flexibility of the
JASPIC authenticator, which may be able to do stuff like this. I have
never dived-into how all that works.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Setting a Request Attribute from a custom Realm

Tim K
On Thu, Apr 8, 2021 at 1:38 PM Christopher Schultz
<[hidden email]> wrote:
>
> I have some sketches of something like this literally on paper somewhere
> around here to create an interface for applications subscribe to
> authentication events. It would, for example, allow you to write a
> "failed login" record to your database that includes not only the user's
> username who failed, but also their IP address (which comes from the
> request, of course.
>
> Would that kind of thing help in your use-case?

I'm looking for a way to give more information back to the user if
their account is locked or not...  Right now it's very generic and
that is good from a security perspective, but I need to be able to
tell the user that their account is locked after so many attempts and
they will need to take action to unlock it.

I found this on the web:
https://stackoverflow.com/questions/7584208/detect-a-realm-authentication-failure-reason-in-tomcat

Is the "com.ofc.tomcat.LOGIN_FAILURE_MESSAGE" still around in Tomcat
9?  Not sure how to use it even if it way...

As mentioned in that url, doing a pre-login of sorts before calling
HttpServletRequest.login() may be a workaround to accomplish this, but
then I would need to call my backend authentication service twice for
each login.

-Tim

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]