diff --git a/appserver/admingui/common/src/main/java/org/glassfish/admingui/common/security/AdminConsoleAuthModule.java b/appserver/admingui/common/src/main/java/org/glassfish/admingui/common/security/AdminConsoleAuthModule.java
index 98bd3075748..4d43fd92499 100644
--- a/appserver/admingui/common/src/main/java/org/glassfish/admingui/common/security/AdminConsoleAuthModule.java
+++ b/appserver/admingui/common/src/main/java/org/glassfish/admingui/common/security/AdminConsoleAuthModule.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation. All rights reserved.
+ * Copyright (c) 2022, 2026 Contributors to the Eclipse Foundation. All rights reserved.
  * Copyright (c) 1997, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -17,9 +17,11 @@
 
 package org.glassfish.admingui.common.security;
 
+import com.sun.enterprise.config.serverbeans.Config;
 import com.sun.enterprise.config.serverbeans.Domain;
 import com.sun.enterprise.config.serverbeans.SecureAdmin;
 import com.sun.enterprise.security.SecurityServicesUtil;
+import com.sun.enterprise.util.net.NetUtils;
 
 import jakarta.security.auth.message.AuthException;
 import jakarta.security.auth.message.AuthStatus;
@@ -56,6 +58,7 @@
 import org.glassfish.admingui.common.util.RestUtil;
 import org.glassfish.common.util.InputValidationUtil;
 import org.glassfish.grizzly.config.dom.NetworkListener;
+import org.glassfish.grizzly.config.dom.Protocol;
 import org.glassfish.hk2.api.ServiceLocator;
 import org.glassfish.jersey.client.authentication.HttpAuthenticationFeature;
 
@@ -120,10 +123,8 @@ public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy
                 throw new AuthException(
                         "'loginErrorPage' " + "must be supplied as a property in the provider-config " + "in the domain.xml file!");
             }
-            ServiceLocator habitat = SecurityServicesUtil.getInstance().getHabitat();
-            Domain domain = habitat.getService(Domain.class);
-            NetworkListener adminListener = domain.getServerNamed("server").getConfig().getNetworkConfig()
-                    .getNetworkListener("admin-listener");
+            ServiceLocator habitat = getServiceLocator();
+            NetworkListener adminListener = getAdminListener();
             SecureAdmin secureAdmin = habitat.getService(SecureAdmin.class);
 
             final String host = adminListener.getAddress();
@@ -133,6 +134,16 @@ public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy
         }
     }
 
+    private static ServiceLocator getServiceLocator() {
+        return SecurityServicesUtil.getInstance().getHabitat();
+    }
+
+    private static NetworkListener getAdminListener() {
+        Config config = getServiceLocator().getService(Domain.class)
+                .getServerNamed("server").getConfig();
+        return config.getAdminListener();
+    }
+
     /**
      *
      */
@@ -206,10 +217,15 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject
         Client client2 = RestUtil.initialize(ClientBuilder.newBuilder()).build();
         WebTarget target = client2.target(restURL);
         target.register(HttpAuthenticationFeature.basic(username, new String(password)));
+
+        // Get the real remote host, checking for proxy headers if behind a reverse proxy
+        String remoteHost = getRemoteHost(request);
         MultivaluedMap payLoad = new MultivaluedHashMap();
-        payLoad.putSingle("remoteHostName", request.getRemoteHost());
+        payLoad.putSingle("remoteHostName", remoteHost);
 
-        Response resp = target.request(RESPONSE_TYPE).post(Entity.entity(payLoad, MediaType.APPLICATION_FORM_URLENCODED), Response.class);
+        Response resp = target.request(RESPONSE_TYPE)
+                .header("X-GlassFish-Remote-Host", remoteHost)
+                .post(Entity.entity(payLoad, MediaType.APPLICATION_FORM_URLENCODED), Response.class);
         RestResponse restResp = RestResponse.getRestResponse(resp);
         Arrays.fill(password, ' ');
         // Check to see if successful..
@@ -270,7 +286,11 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject
             return AuthStatus.SEND_CONTINUE;
         } else {
             int status = restResp.getResponseCode();
-            if (status == 403) {
+            if (status == 429) {
+                // Too many concurrent requests - rate limited
+                request.setAttribute("errorText", GuiUtil.getMessage("alert.AuthenticationFailed"));
+                request.setAttribute("messageText", GuiUtil.getMessage("alert.TryAgainLater"));
+            } else if (status == 403) {
                 request.setAttribute("errorText", GuiUtil.getMessage("alert.ConfigurationError"));
                 request.setAttribute("messageText", GuiUtil.getMessage("alert.EnableSecureAdmin"));
             }
@@ -301,4 +321,31 @@ public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthEx
     private boolean isMandatory(MessageInfo messageInfo) {
         return Boolean.valueOf((String) messageInfo.getMap().get("jakarta.security.auth.message.MessagePolicy.isMandatory"));
     }
+
+    /**
+     * Gets the real remote host, checking for proxy headers if behind a reverse proxy.
+     * Only uses proxy headers when behindProxy is enabled in configuration.
+     */
+    private String getRemoteHost(HttpServletRequest request) {
+        // Check if behind proxy is enabled
+        Protocol protocol = getAdminListener().findHttpProtocol();
+        boolean behindProxy = protocol != null && protocol.getHttp() != null
+                && protocol.getHttp().isBehindProxy();
+
+        return NetUtils.getRemoteHost(
+            new NetUtils.RequestInfoProvider() {
+                    @Override
+                    public String getHeader(String name) {
+                        return request.getHeader(name);
+                    }
+
+                    @Override
+                    public String getRemoteHost() {
+                        return request.getRemoteHost();
+                    }
+
+                },
+            behindProxy
+        );
+    }
 }
diff --git a/appserver/admingui/core/src/main/resources/org/glassfish/admingui/core/Strings.properties b/appserver/admingui/core/src/main/resources/org/glassfish/admingui/core/Strings.properties
index 8db4a34c015..81532381ec0 100644
--- a/appserver/admingui/core/src/main/resources/org/glassfish/admingui/core/Strings.properties
+++ b/appserver/admingui/core/src/main/resources/org/glassfish/admingui/core/Strings.properties
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2023 Contributors to the Eclipse Foundation.
+# Copyright (c) 2023, 2026 Contributors to the Eclipse Foundation.
 # Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved.
 #
 # This program and the accompanying materials are made available under the
@@ -1016,6 +1016,7 @@ alert.AuthenticationFailed=Authentication Failed
 alert.ReenterUsernamePassword=Re-enter your username and password
 alert.ConfigurationError=Configuration Error
 alert.EnableSecureAdmin=Secure Admin must be enabled to access the DAS remotely.
+alert.TryAgainLater=Authentication refused, try again later.
 
 ## Recover Transactions
 headings.recoverTransactions=Recover Transactions
diff --git a/appserver/admingui/web/src/main/resources/grizzly/http.layout b/appserver/admingui/web/src/main/resources/grizzly/http.layout
index ddcd9ce8d6c..b3eb7ba8c13 100644
--- a/appserver/admingui/web/src/main/resources/grizzly/http.layout
+++ b/appserver/admingui/web/src/main/resources/grizzly/http.layout
@@ -1,5 +1,6 @@
 <!--
 
+    Copyright (c) 2022, 2026 Contributors to the Eclipse Foundation
     Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
 
     This program and the accompanying materials are made available under the
@@ -56,7 +57,7 @@
         setPageSessionAttribute(key="valueMap" value="#{pageSession.httpMap}");
         setPageSessionAttribute(key="convertToFalseList" 
             value={"uploadTimeoutEnabled", "cometSupportEnabled", "dnsLookupEnabled", "rcmSupportEnabled", "traceEnabled", "authPassThroughEnabled", 
-            "chunkingEnabled", "encodedSlashEnabled", "websocketsSupport", "xpoweredBy" });
+            "chunkingEnabled", "encodedSlashEnabled", "websocketsSupport", "xpoweredBy", "behindProxy" });
 
         //set the following for including buttons.inc
         
diff --git a/appserver/admingui/web/src/main/resources/grizzly/httpAttr.inc b/appserver/admingui/web/src/main/resources/grizzly/httpAttr.inc
index e1ff430bee2..fc61b0f4e83 100644
--- a/appserver/admingui/web/src/main/resources/grizzly/httpAttr.inc
+++ b/appserver/admingui/web/src/main/resources/grizzly/httpAttr.inc
@@ -30,6 +30,10 @@
             <sun:textField id="ServerName" columns="$int{50}" maxLength="#{sessionScope.fieldLengths['maxLength.http.serverName']}" text="#{pageSession.httpMap['serverName']}" />
         </sun:property>
 
+        <sun:property id="behindProxy"  labelAlign="left" noWrap="#{true}" overlapLabel="#{false}" label="$resource{i18n_web.http.BehindProxy}" helpText="$resource{i18n_web.http.BehindProxyHelp}" >
+            <sun:checkbox id="behindProxyEnabled" label="$resource{i18n_web.common.enabled}" selected="#{pageSession.httpMap['behindProxy']}" selectedValue="true" />
+        </sun:property>
+
         <sun:property id="DefaultVirtServersProp"  labelAlign="left" noWrap="#{true}" overlapLabel="#{false}" label="$resource{i18n_web.http.defVirtualServerLabel}" helpText="$resource{i18n_web.http.defVirtualServerLabelHelp}">
             <sun:dropDown id="vs" selected="#{pageSession.httpMap['defaultVirtualServer']}" labels="$pageSession{vsList}"  values="$pageSession{vsList}" />
         </sun:property>
diff --git a/appserver/admingui/web/src/main/resources/org/glassfish/web/admingui/Strings.properties b/appserver/admingui/web/src/main/resources/org/glassfish/web/admingui/Strings.properties
index b75ed8b3cb6..35aea5dd8ba 100644
--- a/appserver/admingui/web/src/main/resources/org/glassfish/web/admingui/Strings.properties
+++ b/appserver/admingui/web/src/main/resources/org/glassfish/web/admingui/Strings.properties
@@ -275,6 +275,8 @@ http.EncodedSlash=Encoded Slash:
 http.EncodedSlashHelp=Allow encoded slash in URIs
 http.WebsocketsSupport=Websockets Support:
 http.WebsocketsSupportHelp=
+http.BehindProxy=Behind Proxy:
+http.BehindProxyHelp=Enable when GlassFish is behind a reverse proxy to read client IP from X-Real-IP and X-Forwarded-For headers
 http.MaxSavePostSize=Max Save Post Size
 http.MaxSavePostSizeHelp=Maximum size of a POST which will be saved by the container during authentication.
 
diff --git a/appserver/tests/application-tests/security/pam-realm/src/test/java/org/glassfish/test/security/pam/PamRealmITest.java b/appserver/tests/application-tests/security/pam-realm/src/test/java/org/glassfish/test/security/pam/PamRealmITest.java
index 13ef0ff5755..9c4d081d5a5 100644
--- a/appserver/tests/application-tests/security/pam-realm/src/test/java/org/glassfish/test/security/pam/PamRealmITest.java
+++ b/appserver/tests/application-tests/security/pam-realm/src/test/java/org/glassfish/test/security/pam/PamRealmITest.java
@@ -37,7 +37,6 @@
 
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assumptions.assumeTrue;
 import static org.junit.jupiter.api.condition.OS.WINDOWS;
 
diff --git a/docs/administration-guide/src/main/asciidoc/http_https.adoc b/docs/administration-guide/src/main/asciidoc/http_https.adoc
index 00dcee3b155..eddb524b5d2 100644
--- a/docs/administration-guide/src/main/asciidoc/http_https.adoc
+++ b/docs/administration-guide/src/main/asciidoc/http_https.adoc
@@ -323,6 +323,7 @@ The following topics are addressed here:
 
 * <<To Create an HTTP Configuration>>
 * <<To Delete an HTTP Configuration>>
+* <<Behind Proxy Configuration>>
 
 [[to-create-an-http-configuration]]
 
@@ -382,6 +383,27 @@ See Also
 You can also view the full syntax and options of the subcommand by
 typing `asadmin help delete-http` at the command line.
 
+[[behind-proxy-configuration]]
+
+===== Behind Proxy Configuration
+
+When GlassFish Server is deployed behind a reverse proxy (such as nginx or Apache HTTP Server), you can enable the `behind-proxy` option to have the server read client IP addresses from proxy headers instead of the direct connection's remote address.
+
+To enable behind-proxy mode, use the `asadmin set` command:
+
+[source]
+----
+asadmin set configs.config.server-config.network-config.protocols.protocol.admin-listener.http.behind-proxy=true
+----
+
+When `behind-proxy` is enabled:
+
+* The server reads the `X-Real-IP` header first (set by the closest proxy)
+* If `X-Real-IP` is not present, it reads the `X-Forwarded-For` header and takes the first IP in the list (original client)
+* If neither header is present, it falls back to the request's direct remote address
+
+This configuration is useful for ensuring proper client IP tracking for brute-force attack protection.
+
 [[administering-http-transports]]
 
 ==== Administering HTTP Transports
diff --git a/docs/security-guide/src/main/asciidoc/system-security.adoc b/docs/security-guide/src/main/asciidoc/system-security.adoc
index c323f6b1564..0d4df9f6644 100644
--- a/docs/security-guide/src/main/asciidoc/system-security.adoc
+++ b/docs/security-guide/src/main/asciidoc/system-security.adoc
@@ -1066,6 +1066,7 @@ The following topics are addressed here:
 `start-cluster` Subcommands]
 * xref:#using-start-instance-and-start-cluster-with-a-password-file[Using `start-instance` and `start-cluster` With a Password File]
 * xref:#to-change-an-administration-password[To Change an Administration Password]
+* xref:#brute-force-attack-protection[Brute-Force Attack Protection]
 * xref:#to-set-a-password-from-a-file[To Set a Password From a File]
 * xref:#administering-password-aliases[Administering Password Aliases]
 
@@ -1335,6 +1336,29 @@ See Also
 You can also view the full syntax and options of the subcommand by
 typing `asadmin help change-admin-password` at the command line.
 
+
+[[brute-force-attack-protection]]
+==== Brute-Force Attack Protection
+
+{productName} includes protection against brute-force authentication attacks on the administration interface (both the Administration Console and REST API). This protection works by:
+
+* Tracking failed authentication attempts per username and remote host combination
+* Applying an exponential delay after each failed attempt (1 second, 2 seconds, 4 seconds, 8 seconds, etc.)
+* Capping the maximum delay at 60 seconds
+* Rejecting additional concurrent authentication attempts when too many requests are being delayed for the same user/host (HTTP 429 Too Many Requests)
+
+This mechanism makes it impractical for attackers to try many passwords in rapid succession while allowing legitimate users to retry after a short wait.
+
+This mechanism applies only for remote connections. Local connections are never delayed.
+
+[[behind-proxy-configuration]]
+
+##### Behind Proxy Configuration
+
+When the server is deployed behind a reverse proxy, you must configure GlassFish to trust the proxy headers (`X-Real-IP` and `X-Forwarded-For`) to correctly identify the client's real IP address. Without this configuration, all authentication attempts would be tracked under the proxy's IP address instead of individual client IPs. Any failed authentication attempt would delay authentication for all clients, even a valid client with the correct credentials.
+
+For more information about configuring behind-proxy mode and other HTTP options, see xref:administration-guide.adoc#behind-proxy-configuration[Behind Proxy Configuration] in the Administration Guide.
+
 [[to-set-a-password-from-a-file]]
 
 ==== To Set a Password From a File
diff --git a/nucleus/admin/config-api/src/main/java/org/glassfish/config/support/TranslatedConfigView.java b/nucleus/admin/config-api/src/main/java/org/glassfish/config/support/TranslatedConfigView.java
index 0978d82b85c..e5415e552f9 100644
--- a/nucleus/admin/config-api/src/main/java/org/glassfish/config/support/TranslatedConfigView.java
+++ b/nucleus/admin/config-api/src/main/java/org/glassfish/config/support/TranslatedConfigView.java
@@ -88,9 +88,10 @@ public static Object getTranslatedValue(Object value) {
             if (stringValue.indexOf('$') == -1) {
                 return value;
             }
-            DomainScopedPasswordAliasStore dasPasswordAliasStore = domainPasswordAliasStore();
-            if (dasPasswordAliasStore != null) {
-                if (getAlias(stringValue) != null) {
+            if (getAlias(stringValue) != null) {
+                // First search for alias in value, it's faster than loading alias store. If no alias in value, store doesn't need to load. Speeds up startup.
+                DomainScopedPasswordAliasStore dasPasswordAliasStore = domainPasswordAliasStore();
+                if (dasPasswordAliasStore != null) {
                     try {
                         return getRealPasswordFromAlias(stringValue, dasPasswordAliasStore);
                     } catch (Exception e) {
diff --git a/nucleus/admin/rest/rest-service/src/main/java/org/glassfish/admin/rest/adapter/RestAdapter.java b/nucleus/admin/rest/rest-service/src/main/java/org/glassfish/admin/rest/adapter/RestAdapter.java
index c45e1543078..36040c25d20 100644
--- a/nucleus/admin/rest/rest-service/src/main/java/org/glassfish/admin/rest/adapter/RestAdapter.java
+++ b/nucleus/admin/rest/rest-service/src/main/java/org/glassfish/admin/rest/adapter/RestAdapter.java
@@ -17,6 +17,7 @@
 
 package org.glassfish.admin.rest.adapter;
 
+import com.sun.enterprise.admin.util.AuthenticationAttemptTracker;
 import com.sun.enterprise.config.serverbeans.Config;
 import com.sun.enterprise.util.LocalStringManagerImpl;
 
@@ -75,7 +76,6 @@
 
 import static java.lang.System.Logger.Level.DEBUG;
 import static java.lang.System.Logger.Level.INFO;
-import static java.lang.System.Logger.Level.WARNING;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
 /**
@@ -177,9 +177,18 @@ public void service(Request req, Response res) {
             reportError(req, res, HttpURLConnection.HTTP_FORBIDDEN, localStrings.getLocalString("rest.adapter.auth.forbidden",
                     "Remote access not allowed. If you desire remote access, please turn on secure admin"), e);
         } catch (LoginException e) {
-            int status = HttpURLConnection.HTTP_UNAUTHORIZED;
-            String msg = localStrings.getLocalString("rest.adapter.auth.userpassword", "Invalid user name or password");
-            res.setHeader(HEADER_AUTHENTICATE, "BASIC");
+            int status;
+            String msg;
+
+            if (e instanceof AuthenticationAttemptTracker.TooManyRequestsException) {
+                status = 429; // HTTP_TOO_MANY_REQUESTS
+                msg = e.getMessage();
+            } else {
+                status = HttpURLConnection.HTTP_UNAUTHORIZED;
+                msg = localStrings.getLocalString("rest.adapter.auth.userpassword", "Invalid user name or password");
+                res.setHeader(HEADER_AUTHENTICATE, "BASIC");
+            }
+
             reportError(req, res, status, msg, e);
         } catch (Exception e) {
             // TODO: This string is duplicated.  Can we pull this text out of the logging bundle?
@@ -302,7 +311,7 @@ private JerseyContainer getJerseyContainer(ResourceConfig config) {
     }
 
     private void reportError(Request req, Response res, int statusCode, String msg, Exception exception) {
-        LOG.log(WARNING, "reportError(req, res, statusCode=" + statusCode + ", msg, e)", exception);
+        LOG.log(DEBUG, "reportError(req, res, statusCode=" + statusCode + ", msg, e)", exception);
         try {
             // TODO: There's a lot of arm waving and failing here.  I'd like this to be cleaner, but I don't
             // have time at the moment.  jdlee 8/11/10
diff --git a/nucleus/admin/util/src/main/java/com/sun/enterprise/admin/util/AuthenticationAttemptTracker.java b/nucleus/admin/util/src/main/java/com/sun/enterprise/admin/util/AuthenticationAttemptTracker.java
new file mode 100644
index 00000000000..0b50e5824f8
--- /dev/null
+++ b/nucleus/admin/util/src/main/java/com/sun/enterprise/admin/util/AuthenticationAttemptTracker.java
@@ -0,0 +1,262 @@
+/*
+ * Copyright (c) 2026 Contributors to the Eclipse Foundation.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package com.sun.enterprise.admin.util;
+
+import com.sun.enterprise.util.net.NetUtils;
+
+import jakarta.annotation.PostConstruct;
+import jakarta.annotation.PreDestroy;
+import jakarta.inject.Inject;
+import jakarta.inject.Singleton;
+
+import java.lang.System.Logger;
+import java.lang.System.Logger.Level;
+import java.util.Map;
+import java.util.Objects;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicInteger;
+import java.util.concurrent.atomic.AtomicLong;
+
+import javax.security.auth.login.LoginException;
+
+import org.jvnet.hk2.annotations.Service;
+
+/**
+ * Tracks failed authentication attempts and enforces exponential delay to prevent brute-force attacks.
+ * <p>
+ * This service tracks failed login attempts per (username, remoteHost) tuple and applies exponential
+ * delays after failures. If too many concurrent requests are being delayed for the same user/host,
+ * additional requests are rejected immediately with HTTP 429 (Too Many Requests).
+ *
+ * @author Ondro Mihalyi
+ */
+@Service
+@Singleton
+public class AuthenticationAttemptTracker {
+
+    private static final Logger LOG = System.getLogger(AuthenticationAttemptTracker.class.getName());
+
+    /**
+     * Sentinel username used to track failed authentication attempts for non-existent users.
+     * All attempts with unknown usernames are grouped under this key per remote host,
+     * preventing username enumeration attacks and unbounded tracker map growth.
+     */
+    public static final String UNKNOWN_USER_KEY = "__unknown_user__";
+
+    // Configuration constants
+    static final int MAX_DELAY_SECONDS = 60; // 1 minute
+    static final int FAILURE_COUNT_REACHING_MAX_DELAY = (int) Math.floor(Math.sqrt(MAX_DELAY_SECONDS));
+    static final int MAX_CONCURRENT_DELAYS = 3;
+    static final int WARN_THRESHOLD_FAILURES = 5;
+
+    @Inject
+    private ScheduledExecutorService scheduledExecutor;
+
+    private final Map<AttemptKey, AttemptData> attempts = new ConcurrentHashMap<>();
+
+    @PostConstruct
+    public void init() {
+        // Schedule periodic cleanup of old entries
+        scheduledExecutor.scheduleAtFixedRate(
+                this::cleanupOldEntries,
+                MAX_DELAY_SECONDS,
+                MAX_DELAY_SECONDS,
+                TimeUnit.SECONDS);
+    }
+
+    @PreDestroy
+    public void shutdown() {
+        attempts.clear();
+    }
+
+    /**
+     * Checks whether authentication should be rejected for the given user and host because too many
+     * concurrent requests are already being delayed. Must be called BEFORE attempting authentication.
+     * <p>
+     * Skips tracking for localhost — those are server-side proxy calls (Admin Console calling
+     * /management/sessions on behalf of a browser). The real remote host is passed via
+     * X-GlassFish-Remote-Host header in that case.
+     *
+     * @param username the username attempting to authenticate
+     * @param remoteHost the remote host from which the request originated
+     * @param password the password being used (empty passwords are ignored for tracking)
+     * @throws TooManyRequestsException if too many concurrent delays are active for this user/host
+     */
+    public void checkBeforeAuthentication(String username, String remoteHost, char[] password) throws TooManyRequestsException {
+        // Skip tracking for null/empty inputs and localhost (server-side proxy calls)
+        if (shouldIgnoreCheckes(username, remoteHost, password)) {
+            return;
+        }
+
+        AttemptData data = attempts.get(new AttemptKey(username, remoteHost));
+        if (data != null) {
+            int concurrentDelays = data.concurrentDelays.get();
+            if (concurrentDelays >= MAX_CONCURRENT_DELAYS) {
+                LOG.log(Level.DEBUG, () -> "Too many concurrent authentication attempts for user=" + username
+                        + ", host=" + remoteHost + ". Concurrent delays: " + concurrentDelays + ". Rejecting immediately.");
+                throw new TooManyRequestsException(
+                        "Too many concurrent authentication attempts. Please try again later.");
+            }
+        }
+    }
+
+    private static boolean shouldIgnoreCheckes(String username, String remoteHost, char[] password) {
+        return username == null || remoteHost == null || isEmptyPassword(password) || NetUtils.isLocal(remoteHost);
+    }
+
+    /**
+     * Records a successful authentication and resets the failure count for the given user/host.
+     * Must be called AFTER successful authentication.
+     *
+     * @param username the username that successfully authenticated
+     * @param remoteHost the remote host from which the request originated
+     * @param password the password that was used (empty passwords are ignored for tracking)
+     */
+    public void recordSuccess(String username, String remoteHost, char[] password) {
+        // Skip tracking for null/empty inputs and localhost
+        if (shouldIgnoreCheckes(username, remoteHost, password)) {
+            return;
+        }
+
+        if (null != attempts.remove(new AttemptKey(username, remoteHost))) {
+            LOG.log(Level.DEBUG, () -> "Successful authentication for user=" + username
+                    + ", host=" + remoteHost + ". Failure count reset.");
+        }
+    }
+
+    /**
+     * Records a failed authentication attempt and applies an exponential delay before returning.
+     * Must be called AFTER authentication fails.
+     *
+     * @param username the username that failed to authenticate
+     * @param remoteHost the remote host from which the request originated
+     * @param password the password that was used (empty passwords are ignored for tracking)
+     */
+    public void recordFailureAndDelay(String username, String remoteHost, char[] password) {
+        // Skip tracking for null/empty inputs and localhost
+        if (shouldIgnoreCheckes(username, remoteHost, password)) {
+            return;
+        }
+
+        AttemptData data = attempts.computeIfAbsent(new AttemptKey(username, remoteHost), k -> new AttemptData());
+
+        int failureCount = data.failureCount.incrementAndGet();
+        data.lastFailureTime.set(System.currentTimeMillis());
+
+        // Calculate exponential delay
+        int delaySeconds = failureCount - 1 < FAILURE_COUNT_REACHING_MAX_DELAY
+                ? (int) Math.min(Math.pow(2, failureCount - 1), MAX_DELAY_SECONDS)
+                : MAX_DELAY_SECONDS;
+        boolean isAtDelayCap = delaySeconds >= MAX_DELAY_SECONDS;
+
+        // Log at WARN on the 10th failure (first time the threshold is crossed) and the first time
+        // the delay cap is reached; log at DEBUG for all other failures to avoid log spam.
+        if (failureCount == WARN_THRESHOLD_FAILURES) {
+            LOG.log(Level.WARNING, () -> "Failed authentication attempt #" + failureCount
+                    + " for user=" + username + ", host=" + remoteHost
+                    + ". Applying delay of " + delaySeconds + " seconds.");
+        } else if (isAtDelayCap && data.delayCappedWarnLogged.compareAndSet(false, true)) {
+            LOG.log(Level.WARNING, () -> "Failed authentication attempt #" + failureCount
+                    + " for user=" + username + ", host=" + remoteHost
+                    + ". Maximum delay cap of " + MAX_DELAY_SECONDS + " seconds reached.");
+        } else {
+            LOG.log(Level.DEBUG, () -> "Failed authentication attempt #" + failureCount
+                    + " for user=" + username + ", host=" + remoteHost
+                    + ". Applying delay of " + delaySeconds + " seconds.");
+        }
+
+        // Block the calling thread for the delay duration while tracking concurrent delayed requests.
+        // The concurrent count is used by checkBeforeAuthentication() to reject excess requests.
+        data.concurrentDelays.incrementAndGet();
+        try {
+            Thread.sleep(delaySeconds * 1000L);
+        } catch (InterruptedException e) {
+            Thread.currentThread().interrupt();
+            LOG.log(Level.DEBUG, () -> "Authentication delay interrupted for user=" + username + ", host=" + remoteHost);
+        } finally {
+            data.concurrentDelays.decrementAndGet();
+        }
+    }
+
+    private void cleanupOldEntries() {
+        long cutoffTime = System.currentTimeMillis() - TimeUnit.SECONDS.toMillis(MAX_DELAY_SECONDS);
+        attempts.entrySet().removeIf(entry -> entry.getValue().lastFailureTime.get() < cutoffTime);
+        LOG.log(Level.DEBUG, () -> "Cleaned up old authentication attempt entries. Remaining entries: " + attempts.size());
+    }
+
+    /**
+     * Checks if the password is null or empty. Empty passwords are not tracked to avoid
+     * penalizing legitimate users who accidentally submit the form without entering a password.
+     */
+    private static boolean isEmptyPassword(char[] password) {
+        return password == null || password.length == 0;
+    }
+
+    /**
+     * Key for tracking attempts by username and remote host.
+     */
+    private static class AttemptKey {
+        private final String username;
+        private final String remoteHost;
+
+        AttemptKey(String username, String remoteHost) {
+            this.username = username;
+            this.remoteHost = remoteHost;
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) {
+                return true;
+            }
+            if (o == null || getClass() != o.getClass()) {
+                return false;
+            }
+            AttemptKey that = (AttemptKey) o;
+            return Objects.equals(username, that.username) && Objects.equals(remoteHost, that.remoteHost);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(username, remoteHost);
+        }
+    }
+
+    /**
+     * Mutable state for a single (username, remoteHost) tracking entry.
+     */
+    private static class AttemptData {
+        final AtomicInteger failureCount = new AtomicInteger(0);
+        final AtomicLong lastFailureTime = new AtomicLong(System.currentTimeMillis());
+        final AtomicInteger concurrentDelays = new AtomicInteger(0);
+        /** Ensures the WARN log for reaching the delay cap is emitted only once per entry. */
+        final AtomicBoolean delayCappedWarnLogged = new AtomicBoolean(false);
+    }
+
+    /**
+     * Thrown when too many concurrent authentication attempts are already being delayed for the
+     * same (username, remoteHost) pair, resulting in an HTTP 429 response.
+     */
+    public static class TooManyRequestsException extends LoginException {
+        public TooManyRequestsException(String message) {
+            super(message);
+        }
+    }
+}
diff --git a/nucleus/admin/util/src/main/java/com/sun/enterprise/admin/util/GenericAdminAuthenticator.java b/nucleus/admin/util/src/main/java/com/sun/enterprise/admin/util/GenericAdminAuthenticator.java
index fe37922031c..6f37e168139 100644
--- a/nucleus/admin/util/src/main/java/com/sun/enterprise/admin/util/GenericAdminAuthenticator.java
+++ b/nucleus/admin/util/src/main/java/com/sun/enterprise/admin/util/GenericAdminAuthenticator.java
@@ -19,10 +19,13 @@
 
 import com.sun.enterprise.config.serverbeans.AdminService;
 import com.sun.enterprise.config.serverbeans.AuthRealm;
+import com.sun.enterprise.config.serverbeans.Config;
 import com.sun.enterprise.config.serverbeans.Domain;
 import com.sun.enterprise.config.serverbeans.SecureAdmin;
 import com.sun.enterprise.config.serverbeans.SecurityService;
 import com.sun.enterprise.security.SecurityContext;
+import com.sun.enterprise.security.auth.realm.Realm;
+import com.sun.enterprise.security.auth.realm.exceptions.NoSuchUserException;
 import com.sun.enterprise.security.auth.realm.file.FileRealm;
 import com.sun.enterprise.security.auth.realm.file.FileRealmUser;
 import com.sun.enterprise.security.cli.CreateFileUser;
@@ -48,6 +51,8 @@
 import org.glassfish.api.admin.ServerEnvironment;
 import org.glassfish.api.container.Sniffer;
 import org.glassfish.common.util.admin.AuthTokenManager;
+import org.glassfish.grizzly.config.dom.Http;
+import org.glassfish.grizzly.config.dom.Protocol;
 import org.glassfish.grizzly.http.server.Request;
 import org.glassfish.hk2.api.PostConstruct;
 import org.glassfish.hk2.api.ServiceLocator;
@@ -124,6 +129,9 @@ public class GenericAdminAuthenticator implements AdminAccessController, JMXAuth
     @Inject
     private AuthenticationService authService;
 
+    @Inject
+    private AuthenticationAttemptTracker attemptTracker;
+
     @Override
     public synchronized void postConstruct() {
         secureAdmin = domain.getSecureAdmin();
@@ -229,6 +237,12 @@ private boolean ensureGroupMembership(String user, String realm) {
 
     private Subject authenticate(final Request req, final String alternateHostname) throws IOException, LoginException {
         final AdminCallbackHandler cbh = new AdminCallbackHandler(habitat, req, alternateHostname, getDefaultAdminUser(), localPassword);
+
+        String remoteHostForTracking = detectRemoteHostForTracking(cbh, req);
+
+        String trackingUsername = resolveTrackingUsername(cbh.pw().getUserName(), as.getAuthRealmName());
+        attemptTracker.checkBeforeAuthentication(trackingUsername, remoteHostForTracking, cbh.pw().getPassword());
+
         try {
             rejectRemoteAdminIfDisabled(cbh);
 
@@ -243,6 +257,7 @@ private Subject authenticate(final Request req, final String alternateHostname)
                                 cbh.tkn(), cbh.adminIndicator(), cbh.remoteHost() });
             }
 
+            attemptTracker.recordSuccess(cbh.pw().getUserName(), remoteHostForTracking, cbh.pw().getPassword());
             return subject;
         } catch (RemoteAdminAccessException ex) {
             /*
@@ -265,10 +280,76 @@ private Subject authenticate(final Request req, final String alternateHostname)
                         new Object[] { cbh.pw().getUserName(), cbh.clientPrincipal() == null ? "null" : cbh.clientPrincipal().getName(),
                                 cbh.tkn(), cbh.adminIndicator(), cbh.remoteHost(), cmd });
             }
+            attemptTracker.recordFailureAndDelay(trackingUsername, remoteHostForTracking, cbh.pw().getPassword());
             throw lex;
         }
     }
 
+    // Check for X-GlassFish-Remote-Host header (set by AdminConsoleAuthModule in the Admin Console UI).
+    // If present and request is from localhost, use the header value for tracking instead. Otherwise return remote host.
+    // Also check X-Real-IP and X-Forwarded-For headers when the serverName is configured (reverse proxy setup).
+    private String detectRemoteHostForTracking(final AdminCallbackHandler cbh, final Request req) {
+        String remoteHostForTracking = cbh.remoteHost();
+
+        if (NetUtils.isLocal(req.getRemoteAddr())) {
+            String forwardedHost = req.getHeader("X-GlassFish-Remote-Host");
+            if (forwardedHost != null && !forwardedHost.isBlank()) {
+                return forwardedHost;
+            }
+        } else if (isBehindProxyEnabled()) {
+            return NetUtils.getRemoteHost(
+                new NetUtils.RequestInfoProvider() {
+                    @Override
+                    public String getHeader(String name) {
+                        return req.getHeader(name);
+                    }
+
+                    @Override
+                    public String getRemoteHost() {
+                        return remoteHostForTracking;
+                    }
+
+                },
+                true
+            );
+        }
+
+        return remoteHostForTracking;
+    }
+
+    /**
+     * Checks if behindProxy is enabled in the admin listener configuration.
+     * When enabled, the server trusts X-Real-IP and X-Forwarded-For headers.
+     */
+    private boolean isBehindProxyEnabled() {
+        Config config = domain.getServerNamed("server").getConfig();
+        Protocol protocol = config.getAdminListener().findHttpProtocol();
+        Http http = protocol != null ? protocol.getHttp() : null;
+        return http != null && http.isBehindProxy();
+    }
+
+    /**
+     * Returns the username to use for tracking failed authentication attempts.
+     * If the user does not exist in the admin realm, returns {@link AuthenticationAttemptTracker#UNKNOWN_USER_KEY}
+     * so that all attempts with non-existent usernames are grouped under the same key per host,
+     * preventing username enumeration and unbounded tracker map growth.
+     */
+    private String resolveTrackingUsername(String username, String realmName) {
+        if (username == null) {
+            return username;
+        }
+        try {
+            Realm realm = Realm.getInstance(realmName);
+            realm.getUser(username);
+            return username;
+        } catch (NoSuchUserException e) {
+            return AuthenticationAttemptTracker.UNKNOWN_USER_KEY;
+        } catch (Exception e) {
+            // If we can't check, treat as unknown user to prevent unbounded growth
+            return AuthenticationAttemptTracker.UNKNOWN_USER_KEY;
+        }
+    }
+
     /*
      * Accept the request if secure admin is enabled or if the request is local.
      */
@@ -379,6 +460,9 @@ private Subject authenticate(String user, final char[] password, final String re
             throw new LoginException();
         }
 
+        String trackingUsername = resolveTrackingUsername(user, realm);
+        attemptTracker.checkBeforeAuthentication(trackingUsername, host, password);
+
         Subject subject;
         try {
             rejectRemoteAdminIfDisabled(host);
@@ -386,6 +470,7 @@ private Subject authenticate(String user, final char[] password, final String re
             if (ADMSEC_LOGGER.isLoggable(Level.FINE)) {
                 ADMSEC_LOGGER.log(Level.FINE, "*** Login worked\n  user={0}\n  host={1}\n", new Object[] { user, host });
             }
+            attemptTracker.recordSuccess(user, host, password);
             return subject;
         } catch (RemoteAdminAccessException ex) {
             /*
@@ -402,6 +487,7 @@ private Subject authenticate(String user, final char[] password, final String re
                 ADMSEC_LOGGER.log(Level.FINE, "*** LoginException during auth\n  user={0}\n  host={1}\n  realm={2}",
                         new Object[] { user, host, realm });
             }
+            attemptTracker.recordFailureAndDelay(trackingUsername, host, password);
             throw lex;
         }
     }
@@ -453,4 +539,5 @@ public Subject authenticate(Object credentials) {
             throw new SecurityException(e);
         }
     }
+
 }
diff --git a/nucleus/common/common-util/src/main/java/com/sun/enterprise/util/net/NetUtils.java b/nucleus/common/common-util/src/main/java/com/sun/enterprise/util/net/NetUtils.java
index f5160194ba4..21bf0c4f5d8 100644
--- a/nucleus/common/common-util/src/main/java/com/sun/enterprise/util/net/NetUtils.java
+++ b/nucleus/common/common-util/src/main/java/com/sun/enterprise/util/net/NetUtils.java
@@ -428,6 +428,59 @@ public enum PortAvailability {
         illegalNumber, noPermission, inUse, unknown, OK
     }
 
+    /**
+     * Interface for accessing HTTP headers, allowing different request types to be used
+     * with the getRemoteHost method.
+     */
+    public interface RequestInfoProvider {
+        /**
+         * Gets the value of an HTTP header.
+         *
+         * @param name the header name
+         * @return the header value, or null if not present
+         */
+        String getHeader(String name);
+
+        /**
+         * Gets the value of the remote host.
+         *
+         * @return remote host of the HTTP request
+         */
+        String getRemoteHost();
+    }
+
+    /**
+     * Gets the real remote host based on proxy headers.
+     * <p>
+     * If behindProxy is true, checks X-Real-IP and X-Forwarded-For headers
+     * to get the original client IP when behind a reverse proxy.
+     * Otherwise, returns the remote host.
+     *
+     * @param requestInfoProvider provides access to request info
+     * @param behindProxy true if the server is behind a reverse proxy
+     * @return the real remote host IP/hostname
+     */
+    public static String getRemoteHost(RequestInfoProvider requestInfoProvider, boolean behindProxy) {
+        if (behindProxy) {
+
+            // Check X-Real-IP first (set by closest proxy like nginx)
+            String xRealIP = requestInfoProvider.getHeader("X-Real-IP");
+            if (xRealIP != null && !xRealIP.isBlank()) {
+                return xRealIP;
+            }
+
+            // Check X-Forwarded-For (can contain multiple IPs in format "client, proxy1, proxy2")
+            String xForwardedFor = requestInfoProvider.getHeader("X-Forwarded-For");
+            if (xForwardedFor != null && !xForwardedFor.isBlank()) {
+                int commaIndex = xForwardedFor.indexOf(',');
+                return commaIndex > 0 ? xForwardedFor.substring(0, commaIndex).trim() : xForwardedFor.trim();
+            }
+        }
+
+        // Fall back to the remote host
+        return requestInfoProvider.getRemoteHost();
+    }
+
 
     @FunctionalInterface
     private static interface ThrowingPredicate<T> extends Predicate<T> {
diff --git a/nucleus/grizzly/config/src/main/java/org/glassfish/grizzly/config/dom/Http.java b/nucleus/grizzly/config/src/main/java/org/glassfish/grizzly/config/dom/Http.java
index 08bf2279f87..696a5afc4bb 100644
--- a/nucleus/grizzly/config/src/main/java/org/glassfish/grizzly/config/dom/Http.java
+++ b/nucleus/grizzly/config/src/main/java/org/glassfish/grizzly/config/dom/Http.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022, 2026 Contributors to the Eclipse Foundation
  * Copyright (c) 2009, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -38,6 +38,8 @@ public interface Http extends ConfigBeanProxy, PropertyBag {
 
     boolean AUTH_PASS_THROUGH_ENABLED = false;
 
+    boolean BEHIND_PROXY = false;
+
     boolean CHUNKING_ENABLED = true;
 
     boolean COMET_SUPPORT_ENABLED = false;
@@ -522,6 +524,15 @@ public interface Http extends ConfigBeanProxy, PropertyBag {
 
     void setHttp2Enabled(boolean http2Enabled);
 
+    /**
+     * If set to true, the server is configured behind a reverse proxy and will trust
+     * X-Real-IP and X-Forwarded-For headers to determine the client's real IP address.
+     */
+    @Attribute(defaultValue = "" + BEHIND_PROXY, dataType = Boolean.class)
+    boolean isBehindProxy();
+
+    void setBehindProxy(boolean behindProxy);
+
     @Override
     default Protocol getParent() {
         return getParent(Protocol.class);