| Summary: | LockOutRealm Details | ||
|---|---|---|---|
| Product: | Tomcat 8 | Reporter: | Ben <ben> |
| Component: | Documentation | Assignee: | Tomcat Developers Mailing List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | 8.0.35 | ||
| Target Milestone: | ---- | ||
| Hardware: | PC | ||
| OS: | Linux | ||
|
Description
Ben
2016-06-15 15:17:08 UTC
Thanks for the report. To answer the question, the LockOutRealm currently treats any authentication attempt during the lock out period as a failure. This does mean that once an account is locked out, if the legitimate users attempts to login more frequently that the lockout period that user is never going to regain access. It does make sense to change this behaviour (and document it) so that valid logins do not extend the lockout period. I'll take a look at a patch. Thanks for the clarification. I look forward to seeing this progress. This has been fixed the trunk for all currently supported versions and will be included in: - 9.0.0.M9 onwards - 8.5.4 omwards - 8.0.37 onwards - 7.0.71 onwards - 6.0.46 onwards Thanks for this fix. I'd like to ask one more technical question about it: Are the wrapped realms authenticated before the lockout or is the lockout checked before attempting real authentication? Example: <Lockout realm> <LDAP realm/> </Lockout realm> If I try to authenticate but I'm in lockout, is LDAP triggered? It looks like the answer is probably "yes" because of the 401 Unauthorized response, which usually indicates authentication was successful. Yes, authentication is now always checked so Tomcat can vary the behaviour during a lock out depending on whether the authentication credentials provided were valid or not. For more details, you can always look at the source: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/LockOutRealm.java?view=annotate |