Is there any way I can tell the user that what number of login attempt he is on ? While using the LockOutRealm any way to display his login attempt on an html or jsp page ?
On Mon, Aug 24, 2015 at 7:31 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Sreyan, > > On 8/23/15 2:54 PM, Sreyan Chakravarty wrote: > > I am confused with the functioning of LockOutRealms in Tomcat. > > > > My questions are as follows-: > > > > > > 1. Say user at IP 10.10.10.1 has reached the maximum number of > > invalid login attempts and is locked out. Now say a user from > > 10.10.10.2 attempts to login, will Tomcat stop him too since he is > > trying to login for the first time ? If not then how does Tomcat > > keep track of users that are locked out ? Via there IP's ? > > If you look at the code [1], you'll see that users are identified by > username (or "identifier) and no other factors. So, if you get > locked-out from 10.10.10.1, you will also be locked-out from > 10.10.10.2. However, the lock-out information is not shared amongst > cluster members, so the LockOutRealm really only protects a single > member of a cluster. > > If you need "proper" user-locking, you'll want to mark the user as > locked-out in a database or something. You could do that by extending > LockOutRealm and taking some other action (such as marking a user as > locked in a db) after the registerAuthFailure method completes. > > > 2. When a user is locked out what message is displayed ? Can I > > display a custom HTML page when a user has been locked out ? In > > other words how much control do I have over the lock out process > > and what error messages are shown ? > > It depends upon the type of authenticator you are using. If you use > the BasicAuthenticator or DigestAuthenticator, you'll get a 401 > response, and you can customize what page gets returned with a 401. If > you use a FormAuthenticator, you can customize the form-error-page. If > you are using an x509Authenticator, you cannot customize anything > since the failure occurs at the SSL handshake level. > > In any case, there does not appear to be a way to tell that the user > failed due to too-many-authentication-failures. You could request such > as feature, but I would personally think nobody would want to > implement it... you don't want to leak-out any information about the > authentication process if you don't have to. Failed login = failed > login, without further clarification. For a truly secure system, the > LockOutRealm should also probably waste some time when a locked-out > user is found, to simulate the amount of time it takes to > properly-authenticate the user and then fail. > > Hope that helps, > - -chris > > [1] > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm > /LockOutRealm.java?view=markup > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJV2yPWAAoJEBzwKT+lPKRYRM0QAKnl/8bDktDWdDMlWYJZejwu > UAVl1lgDFN0rm+osfRegAPaBx0ERHZnZiUUWYtEEOAB6XzhgQMfendBpRyzkT7Af > 3TGxPwZwsAbe4sSVrZvi25K3o7CThxn1CymMQPaR0v0uXq2CH+NdKwOcPLsMtyK/ > aofhbNP7Bde3gey6YlzN4PME0Ho+0dxXgI3bGSqtiSp3xWroGRJxsNhKGhvV2Ntj > gN6O22rlzHvvt21oXxBOkHIHKBdjlsT6TLOt7Lp2alWxAd4e1pcM+KTzVQA35jan > QkD/vQ8aPUGGc53Vsygnk4nItzMFJJQWUtarCZpjxzKaSBKNMB2ON0C+Occyog+S > jt8uASbne9gN0oknP5tF5OU+nrhsXW3KcIlOC6uVgGqGvcGUrjEN78Y1ZVgycpyb > TnZdeGnFYrUFHgC7vadzE1KSbd8hJvJojUX3EgUSj0+liM+HvoIqCXPbL1E7oTra > qsmZPA8/VfCXQpgIfNBjlv94XpzMPcYxGsoBdG5QQiAeIsEgaX0Uv4zM8mowPbdH > XDbEWTsTSvEkYv5PRU6C/251zvoxZ5vhMFXeIX6zN075KmflhM5AQ/LUd6qCg0mz > r/memt0VqAauRx/i5l04dmLF6FubraBtP8J5sluHkXywmepGGA6MDzJc9HmTTXH5 > N5u8FupQhbCp3x/lSt4w > =8IkU > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >