The whole point of Realms is that they are completely plug-replaceable and externally applied, so there's no provision for a webapp to invoke any of the methods in a Realm.
It's also, incidentally not a good idea for your webapp to be able to manage its realm. For one thing, that introduces the possibility that an exploit could work its way upstream into the server. For another, in the case of a lockout realm, if the only unlocking mechanism is within the app and you're locked out of the app...
There's not a whole lot of documentation on games you can play with LockoutRealm, but the unlock method is a public member method, so some possibilities include:
1. Getting the Realm's mbean and invoking unlock on the mbean. You may be able to obtain that programmatically via
Tomcat's management
EJB, but that's just a guess. If not, the stock MBean locator can definitely be used, as this Realm registers itself with Tomcat's internal MBean manager.
2. Writing a management webapp similar to the pre-supplied admin and manager apps that come with Tomcat that roots around inside Tomcat to obtain the Realm bean so you can invoke unlock(). This is different than doing the same thing in your primary webapp because (hopefully!) access to this management app will be more tightly controlled and since it's running under a different classpath environment, possible leakage from unauthorized parts of the app are reduced (since there may not be any unauthorized parts of the management app).
3. Subclass the Lockout Realm and institute your own control interface in the subclass realm.
