-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sreyan,
On 8/23/15 2:54 PM, Sreyan Chakravarty wrote: > I am confused with the functioning of LockOutRealms in Tomcat. > > My questions are as follows-: > > > 1. Say user at IP 10.10.10.1 has reached the maximum number of > invalid login attempts and is locked out. Now say a user from > 10.10.10.2 attempts to login, will Tomcat stop him too since he is > trying to login for the first time ? If not then how does Tomcat > keep track of users that are locked out ? Via there IP's ? If you look at the code [1], you'll see that users are identified by username (or "identifier) and no other factors. So, if you get locked-out from 10.10.10.1, you will also be locked-out from 10.10.10.2. However, the lock-out information is not shared amongst cluster members, so the LockOutRealm really only protects a single member of a cluster. If you need "proper" user-locking, you'll want to mark the user as locked-out in a database or something. You could do that by extending LockOutRealm and taking some other action (such as marking a user as locked in a db) after the registerAuthFailure method completes. > 2. When a user is locked out what message is displayed ? Can I > display a custom HTML page when a user has been locked out ? In > other words how much control do I have over the lock out process > and what error messages are shown ? It depends upon the type of authenticator you are using. If you use the BasicAuthenticator or DigestAuthenticator, you'll get a 401 response, and you can customize what page gets returned with a 401. If you use a FormAuthenticator, you can customize the form-error-page. If you are using an x509Authenticator, you cannot customize anything since the failure occurs at the SSL handshake level. In any case, there does not appear to be a way to tell that the user failed due to too-many-authentication-failures. You could request such as feature, but I would personally think nobody would want to implement it... you don't want to leak-out any information about the authentication process if you don't have to. Failed login = failed login, without further clarification. For a truly secure system, the LockOutRealm should also probably waste some time when a locked-out user is found, to simulate the amount of time it takes to properly-authenticate the user and then fail. Hope that helps, - -chris [1] http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm /LockOutRealm.java?view=markup -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV2yPWAAoJEBzwKT+lPKRYRM0QAKnl/8bDktDWdDMlWYJZejwu UAVl1lgDFN0rm+osfRegAPaBx0ERHZnZiUUWYtEEOAB6XzhgQMfendBpRyzkT7Af 3TGxPwZwsAbe4sSVrZvi25K3o7CThxn1CymMQPaR0v0uXq2CH+NdKwOcPLsMtyK/ aofhbNP7Bde3gey6YlzN4PME0Ho+0dxXgI3bGSqtiSp3xWroGRJxsNhKGhvV2Ntj gN6O22rlzHvvt21oXxBOkHIHKBdjlsT6TLOt7Lp2alWxAd4e1pcM+KTzVQA35jan QkD/vQ8aPUGGc53Vsygnk4nItzMFJJQWUtarCZpjxzKaSBKNMB2ON0C+Occyog+S jt8uASbne9gN0oknP5tF5OU+nrhsXW3KcIlOC6uVgGqGvcGUrjEN78Y1ZVgycpyb TnZdeGnFYrUFHgC7vadzE1KSbd8hJvJojUX3EgUSj0+liM+HvoIqCXPbL1E7oTra qsmZPA8/VfCXQpgIfNBjlv94XpzMPcYxGsoBdG5QQiAeIsEgaX0Uv4zM8mowPbdH XDbEWTsTSvEkYv5PRU6C/251zvoxZ5vhMFXeIX6zN075KmflhM5AQ/LUd6qCg0mz r/memt0VqAauRx/i5l04dmLF6FubraBtP8J5sluHkXywmepGGA6MDzJc9HmTTXH5 N5u8FupQhbCp3x/lSt4w =8IkU -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org