disclaimer: I'm thinking out loud.
The 'thing' that does the authentication is the
Tomcat container. So you'd need to keep track of login attempts through BASIC auth through there, right?
Also.. is there such a thing as a Session before a user logs in? I know there is jsessionid when browsers don't have cookies. But BASIC auth happens (or should?) before this point. Or does it?
More questions.. no answers.