-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Esmond,

On 4/11/13 8:43 PM, Esmond Pitt wrote:
> I referred to the OpenLDAP lockout mechanism, which is not at all 
> primitive.

How does OpenLDAP do better than Tomcat? If I make repeated (failed)
login attempts against a single user, can I cause them to be
locked-out? DOS. Does OpenLDAP track the IP address(es) of the
authentication attempts? (Tomcat would have to furnish that
information via LDAP, which I don't believe it does). If it does cache
them, I can hit you from many different IP addresses. D/DOS. If it's
got a limited cache, I can game the cache by making of attempts, get
locked-out, then purge myself from your cache by hitting you with
other requests.

Tomcat does an adequate job of mitigating casual break-in attempts.
Really good protection is difficult and often still not sufficient
because the bad guys always have the advantage.

>> Would you be willing to review the Tomcat documentation on
>> "securing Tomcat" and make a few comments? It could always use
>> some additional tips:
> 
> Sure, will do.

Great!

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRazRqAAoJEBzwKT+lPKRYRzIQAIJddWW2I/B5iYu9O2gx8oIQ
EJj8gR6ZptF3E6GqOwJJPQ3YtE5dtocyRNLKc3as6Iw1slp1o/N9LZvxkuGZ5AJY
iFzVUowRtGusf7xFcIT6Ld50MbK1fQkfHnBCi5HCawoQ+gaIcscqLHPBMjBqutjA
dLu+7lIvCHpdeJ6y1EK6mtJXtgGvvi1iDOWSLHWIcLzvWaS8E83K/ydA3SRc2SAY
C2q/ac7p5Luy74AGPkAyxP2FDjFBAtRFKmusUR9MJKEOFuz8eVo79Mq5nrrAfI0g
h63ItO3n8jkqe0wzSC1ZBsaggcEMulAU5N3g5VvBWImQpQ2pL8IYAVfOK8wrqK27
Z1OqwgeY4gKdv/1NtAQg0sQ3i8AZ3ibzd+s3+dd8udj5nD9AmxtN2bC1AWnO37I3
YJp3MePLPxHemDS9wq75SMj+gq591xWXcCw3H1SgtCX8nKAkyZJraBMcDhrP3Qyd
EcAAszdpAILvfLmzHl6AjQ4v6gOTYxxBIuv4PaIOx/UM3wYL/YUtovmGiU4AeL6V
qVZrIa/CkM70LzvaGdbMSNXlT6pS79Bpfg1ER0jMuRGdECay31yGqn0F6lRR+pQn
akqQNj3i1NCOJM3lc804g6P4jP6JohoUBGOIF7i7QA7ikqseA3Ndp/R8dZ5jhIWu
ursp7X5nazb/05Ls91B5
=vf2o
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to