Access control on web app

I am making a web app that has a login page (Using Facelets with JSF 2.0) which checks credentials before redirecting to a isLoggedIn or error page. I have access to the server that the app is deployed on and Tomcat is used as container. I would like to log ip addresses that clearly tries to perform brute force attacks. My idea for now is the following, but I am not sure how to get hold of the offending IP and even if I could it looks a bit clumsy, so what is a standard/good way of doing this? I would prefer not having to use any other implementation of JSF.

• During login write log messages (from Beans) using a logging framework to an app-specific logfile in Tomcat's log folder where failed logins are saved with of开发者_如何学编程fending ip and time.

• Create script that reads the log and checks if any ips have a high rate of failed attempts. Add these ips to hosts.deny.

If you're using realm authentication check Tomcat's LockOutRealm. It does not write the host.deny file but it also could prevent brute-force attacks.