Password lockout for JSP app using JDBCRealm account authorisation - advice sought
I have a requirement to implement a password lockout mechanism on a webapp using JSP / Java 5 / Tomcat 5.5.20. Accounts are presently validated using the JDBCRealm mechanism that comes as standard with Tomcat. However, after a security audit we need to ensure that users who have entered an incorrect password are locked out after a number of attempts. Does anyone have any suggestions to implement this, we could make amendments to our backing java classes but I am interested to hear if there are any alternative solutions (eg Acegi).