I'm using JDBCRealm + LockOutRealm in Tomcat (8, but could switch to 9). This is working all fine, but if a user locks himself out, this is only visible in the logs, not the user facing login error page.
Imagine a user entering his or her password with caps locks on a few times, therefore locking the account, then noticing the caps lock, removing it and still not being able to log in.
Is there a way to show that the LockOutRealm and not a wrong password is the reason for the unsuccessful logon?
I only do see this in catalina.out:
Aug 24, 2018 10:59:15 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "abcd"
Aug 24, 2018 10:59:15 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Failed authenticate() test ??/test/j_security_check
I did find this answer, which IMHO is the only related answer in the area. But it is from 2011 and there might be a better and easier way to do this now.
Also (way less important), is there a way to unlock a user from an application account / reset LockOutRealm, e.g. by accessing some protected servlet, that does this, with an Admin account? There is an unlock() method, but it does not seem it is designed to be used from within the application, see here.
Just ran into the same problem. Nothing seems to have have changed. To add another workaround, I ended up getting the LockOutRealm via reflection, as described here. Of course, this violates the design principle that the app is not supposed to know which realms are in use.
Relevant code:
Then use
realm.isLocked(username)to decide which error message to show. (LockOutRealm might not be the root realm, this depends on the configuration in context.xml)