Bug 59708

Summary: LockOutRealm Details
Product: Tomcat 8 Reporter: Ben <ben>
Component: DocumentationAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 8.0.35   
Target Milestone: ----   
Hardware: PC   
OS: Linux   

Description Ben 2016-06-15 15:17:08 UTC
Documentation for LockOutRealm does not specify if failed logins due to being locked out by the LockOutRealm count as failed logins for the purpose of locking out a user.

For example: Lets say I'm protecting an API with LockOutRealm and the authentication fails either due to maliciously bad password, accidentally bad password, or back-end auth fail. This results in a LockOut condition because it happened x times in y period. But the machines legitimately hitting the API don't care and continue to fail to authenticate during the LockOut period. Will the machines ever be allowed to authenticate or is this a critical failure of the API?
Comment 1 Mark Thomas 2016-06-15 19:48:57 UTC
Thanks for the report.

To answer the question, the LockOutRealm currently treats any authentication attempt during the lock out period as a failure. This does mean that once an account is locked out, if the legitimate users attempts to login more frequently that the lockout period that user is never going to regain access.

It does make sense to change this behaviour (and document it) so that valid logins do not extend the lockout period. I'll take a look at a patch.
Comment 2 Ben 2016-06-15 21:18:13 UTC
Thanks for the clarification. I look forward to seeing this progress.
Comment 3 Mark Thomas 2016-06-20 18:49:18 UTC
This has been fixed the trunk for all currently supported versions and will be included in:
- 9.0.0.M9 onwards
- 8.5.4 omwards
- 8.0.37 onwards
- 7.0.71 onwards
- 6.0.46 onwards
Comment 4 Ben 2016-08-18 13:59:28 UTC
Thanks for this fix. I'd like to ask one more technical question about it: Are the wrapped realms authenticated before the lockout or is the lockout checked before attempting real authentication?

Example:
<Lockout realm>
  <LDAP realm/>
</Lockout realm>

If I try to authenticate but I'm in lockout, is LDAP triggered? It looks like the answer is probably "yes" because of the 401 Unauthorized response, which usually indicates authentication was successful.
Comment 5 Mark Thomas 2016-08-19 08:14:25 UTC
Yes, authentication is now always checked so Tomcat can vary the behaviour during a lock out depending on whether the authentication credentials provided were valid or not.

For more details, you can always look at the source:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/LockOutRealm.java?view=annotate