JAASRealm needs to override isAvailable method to prevent LockOutRealm to lock the user in case JAAS login modules are unavailable If JAAS login module fails to authenticate because of network communication issues it could throw RuntimeException (unstead of checked LoginException) in that case and if the configuration of JAAS is invalid In following method: protected Principal authenticate(String username, CallbackHandler callbackHandler) where ExceptionUtils.handleThrowable(e); is invoked set the available flag to false so that it indicates that JAASRealm is not available to authenticate the user instead of LockOutRealm to think that the user is not authenticated because of Principal is null. In CombinedRealm it's isAvailable() method will check if the realm !realm.isAvailable() and will not lock the user out
Care to provide a patch (in diff -u format) or a pull request? It looks like there are multiple places where available should be set to false and you'll also need to identify where it should be set to true.
Pull request: https://github.com/apache/tomcat/pull/157
Fixed in: - master for 9.0.20 onwards - 8.5.x for 8.5.41 onwards Thanks for the PR