We have a custom javax.security.auth.spi.LoginModule used for web services as well as some web applications on a Weblogic 11g.

The goal is to record information regarding logins when going through the LoginModule, especially failed logins. Part of the desired information is the IP address that the authentication request came from. The problem I’m finding is I’m not sure how to get this information into the LoginModule.

Currently the LoginModule just verifies that the specified username and password match the values stored in a JDBC database. If the authentication fails it increments a counter to track the number of failed logins for that user, if they exist as a valid user. The username and password are passed in, if I understand it correctly, via the CallbackHandler that is specified during the initialize method. I’m not clear how these values get into the CallbackHandler at first and how to specify other dynamic content such as the request’s originating IP address. Through debugging I’ve found that the CallbackHandler does indeed have the request in the following chain: handler.ch.delegate.contextHandler.requestElement but I do not see how to get access to any of that from the CallbackHandler interface.

I researched some on AuditProviders and the like, finding one example that logged the HTTP method, so I would imagine that getting additional information from the HTTP Request would be possible, I’ve just not yet discovered it. However I will have to modify our custom Security Provider to create the AuditEvents to be audited. Part of that would be providing the Request, which gets us back to the initial problem of accessing the HttpServletRequest from within a LoginModule.

I tried implementing a ServletAuthenticationFilter as part of our Security Provider, but it seems that is call BEFORE authentication, which does not help us in capturing failed login attempts.

I’m relatively new to developing/modifying the security providers so basic examples/explanations are best.

Thanks!