On 29/08/2015 21:51, Sreyan Chakravarty wrote: > Is there any way I can tell the user that what number of login attempt he > is on ? While using the LockOutRealm any way to display his login attempt > on an html or jsp page ?
With the LockOutRealm as currently written, no. If you extend it and write some custom code, yes. I'd think through the risks very carefully before you go down this road. Do the benefits to the users out-weight the additional security risks this would create? Mark > > On Mon, Aug 24, 2015 at 7:31 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Sreyan, > > On 8/23/15 2:54 PM, Sreyan Chakravarty wrote: >>>> I am confused with the functioning of LockOutRealms in Tomcat. >>>> >>>> My questions are as follows-: >>>> >>>> >>>> 1. Say user at IP 10.10.10.1 has reached the maximum number of >>>> invalid login attempts and is locked out. Now say a user from >>>> 10.10.10.2 attempts to login, will Tomcat stop him too since he is >>>> trying to login for the first time ? If not then how does Tomcat >>>> keep track of users that are locked out ? Via there IP's ? > > If you look at the code [1], you'll see that users are identified by > username (or "identifier) and no other factors. So, if you get > locked-out from 10.10.10.1, you will also be locked-out from > 10.10.10.2. However, the lock-out information is not shared amongst > cluster members, so the LockOutRealm really only protects a single > member of a cluster. > > If you need "proper" user-locking, you'll want to mark the user as > locked-out in a database or something. You could do that by extending > LockOutRealm and taking some other action (such as marking a user as > locked in a db) after the registerAuthFailure method completes. > >>>> 2. When a user is locked out what message is displayed ? Can I >>>> display a custom HTML page when a user has been locked out ? In >>>> other words how much control do I have over the lock out process >>>> and what error messages are shown ? > > It depends upon the type of authenticator you are using. If you use > the BasicAuthenticator or DigestAuthenticator, you'll get a 401 > response, and you can customize what page gets returned with a 401. If > you use a FormAuthenticator, you can customize the form-error-page. If > you are using an x509Authenticator, you cannot customize anything > since the failure occurs at the SSL handshake level. > > In any case, there does not appear to be a way to tell that the user > failed due to too-many-authentication-failures. You could request such > as feature, but I would personally think nobody would want to > implement it... you don't want to leak-out any information about the > authentication process if you don't have to. Failed login = failed > login, without further clarification. For a truly secure system, the > LockOutRealm should also probably waste some time when a locked-out > user is found, to simulate the amount of time it takes to > properly-authenticate the user and then fail. > > Hope that helps, > -chris > > [1] > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm > /LockOutRealm.java?view=markup >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
