"Christopher Schultz" <ch...@christopherschultz.net> wrote in message news:4b2aa7c4.1060...@christopherschultz.net... > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Fidelis, > > On 12/17/2009 3:42 PM, Fidelis Mnyanyi wrote: >> Thanks Konstantin for your response. I tried to use AccessLogValve, >> but noticed I can only capture successful logins. I would like to be >> able to capture all unsuccessful attempts as well for security-audit >> reasons, is this possible through Tomcat? > > Really? Tomcat doesn't log requests to j_security_check through > AccessLogValve? >
Unless you are configuring the FormAuthenticator your self, it should log j_security_check (since the default behavior is to add FormAuthenticator after any Valve in context.xml). > Note that AccessLogValve will not directly log "failed logins": it only > logs HTTP requests and their statuses, etc. You will have to deduce from > the status code what happened during the request. > In particular, a 302 status code means success, and a 200 status code means failure (or, rather, what ever status code the error page returns). > If you want to actually log failed logins, you'll need to use something > other than the standard realms Tomcat provides (except maybe > JAASRealm... I've never used that one but it appears that it is much > more flexible than the other realm implementations). > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAksqp8QACgkQ9CaO5/Lv0PATzACghn0Apk8uew1/et9QUK6t2HTW > InoAnAzcwEbLLnxwIfDUgLJUfwPdivrJ > =btRk > -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
