Access control on web app
I am making a web app that has a login page (Using Facelets with JSF 2.0) which checks credentials before redirecting to a isLoggedIn or error page. I have access to the server that the app is deployed on and Tomcat is used as container. I would like to log ip addresses that clearly tries to perform brute force attacks. My idea for now is the following, but I am not sure how to get hold of the offending IP and even if I could it looks a bit clumsy, so what is a standard/good way of doing this? I would prefer not having to use any other implementation of JSF.
During login write log messages (from Beans) using a logging framework to an app-specific logfile in Tomcat's log folder where failed logins are saved with of开发者_如何学编程fending ip and time.
Create script that reads the log and checks if any ips have a high rate of failed attempts. Add these ips to
hosts.deny
.
If you're using realm authentication check Tomcat's LockOutRealm. It does not write the host.deny
file but it also could prevent brute-force attacks.
精彩评论