My code does not talk to another cluster as I have a single Tomcat only, but
just wondering how one would scale.
Maybe the strategy to handle clusters is to write information, such as the list
of the users to the number of times they have logged in in the last hour, into
a location shared by all machines. In my code below the code is stored in
failedAttempts which is a Map<String /*username/*, FailedAttempt> where
FailedAttempt represents the number of times the user has logged in in the last
hour or whatever. It is in-memory, which is fine for one Tomcat.
But we could move this Map into a file that is on a mounted drive available
from all Tomcat machines, or we could store it in the database. Either way we
have to synchronize writes to the file or database, and I think database does
this automatically, and maybe FileLock will do the job for the files. But
anyway, it sounds complicated.
As for my my authenticate it was as follows, although I don't see this should
cause the failure in the subject of this email -- "Connection.close() has
already been called during login":
public Principal authenticate(String username, String credentials)
{
threadUserLockedOut.remove();
long curTime = System.currentTimeMillis();
FailedAttempt failedAttempt = failedAttempts.get(username);
if (failedAttempt != null &&
failedAttempt.checkFailedAttemptsReached(curTime))
{
threadUserLockedOut.set(Boolean.TRUE);
return null;
}
Principal result = super.authenticate(username, credentials);
if (result == null)
{
if (failedAttempt != null)
{
failedAttempt.incNumFailedAttempts();
if (failedAttempt.maxFailedAttemptsReached())
{
failedAttempt.setFirstFailedTime(curTime);
logger.warn("User '" + username + "' is locked out after " +
MAX_FAILED_ATTEMPTS + " failed attempts");
threadUserLockedOut.set(Boolean.TRUE);
return null;
}
}
else
{
failedAttempt = new FailedAttempt(curTime);
failedAttempts.put(username, failedAttempt);
}
}
else
{
if (failedAttempt != null)
{
failedAttempts.remove(username);
}
}
return result;
}
--- On Mon, 1/23/12, Christopher Schultz <ch...@christopherschultz.net> wrote:
> From: Christopher Schultz <ch...@christopherschultz.net>
> Subject: Re: Connection.close() has already been called during login
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Date: Monday, January 23, 2012, 12:15 PM
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> To whom it may concern,
>
> On 1/23/12 2:54 PM, removeps-c...@yahoo.com
> wrote:
> > Sorry, I did not know about [LockOutRealm]. Will
> this class work
> > if you have many Tomcats on different machines
> (possibly load
> > balancing) so regardless of which exact machine the
> user is
> > directed to, lock realm will know the number of failed
> login
> > attempts on other machines?
>
> No, neither this nor any other Tomcat realms are
> cluster-aware.
>
> If you want to track authentication failures across a
> cluster, you
> could subclass LockOutRealm and override these methods:
>
> - - isLocked
> - - unlock
> - - registerAuthFailure
>
> This will allow you to handle the cluster-sync behavior
> separately
> from the authentication behavior which this class already
> handles.
>
> I'm interested in seeing what you come up with for
> communicating with
> the rest of the cluster.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk8dv+4ACgkQ9CaO5/Lv0PDRnwCgvZFJvYXbU8Gwec6y430aD/rz
> Kk4An2C5ZwXZf4NEaS31A5CWngqGxI9F
> =zDyr
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
