You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Remy Maucherat <re...@apache.org> on 2008/09/04 00:31:07 UTC
Re: svn commit: r691805 - in /tomcat/trunk:
java/org/apache/catalina/realm/ java/org/apache/catalina/startup/
webapps/docs/ webapps/docs/config/
On Wed, 2008-09-03 at 23:25 +0100, Mark Thomas wrote:
> markt@apache.org wrote:
> > Author: markt
> > Date: Wed Sep 3 15:18:39 2008
> > New Revision: 691805
> >
> > URL: http://svn.apache.org/viewvc?rev=691805&view=rev
> > Log:
> > Add a new combined Realm that can be used to try authenticating against multiple realms.
> Note that whilst users have been asking for this for a while, I wrote this
> as the basis for a LockOut Realm (to follow) that will lock out users after
> a set number of failed logins (with lots of configuration options). This
> is in response to the incidents back in July/August where it appeared
> attackers were using brute force attacks to gain access to Tomcat webapps,
> mainly the admin and manager app. Granted these apps shouldn't be public
> facing but adding LockOut functionality to the Realms is a good idea from a
> security point of view.
>
> The LockOut Realm will follow when I finish writing it ;)
Ah ok, but besides some special functions realms like this LockOut
thing, it does not seem to me like good security to store credentials in
multiple places :(
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r691805 - in /tomcat/trunk: java/org/apache/catalina/realm/
java/org/apache/catalina/startup/ webapps/docs/ webapps/docs/config/
Posted by Mark Thomas <ma...@apache.org>.
Remy Maucherat wrote:
> On Wed, 2008-09-03 at 23:25 +0100, Mark Thomas wrote:
>> markt@apache.org wrote:
>>> Author: markt
>>> Date: Wed Sep 3 15:18:39 2008
>>> New Revision: 691805
>>>
>>> URL: http://svn.apache.org/viewvc?rev=691805&view=rev
>>> Log:
>>> Add a new combined Realm that can be used to try authenticating against multiple realms.
>
>> Note that whilst users have been asking for this for a while, I wrote this
>> as the basis for a LockOut Realm (to follow) that will lock out users after
>> a set number of failed logins (with lots of configuration options). This
>> is in response to the incidents back in July/August where it appeared
>> attackers were using brute force attacks to gain access to Tomcat webapps,
>> mainly the admin and manager app. Granted these apps shouldn't be public
>> facing but adding LockOut functionality to the Realms is a good idea from a
>> security point of view.
>>
>> The LockOut Realm will follow when I finish writing it ;)
>
> Ah ok, but besides some special functions realms like this LockOut
> thing, it does not seem to me like good security to store credentials in
> multiple places :(
There are pros and cons of a single user repository. Just about every
organisation I have ever worked with has had multiple user repositories of
one form or another. I'd have to go back over the user archives but the
sort of requirements I recall are things like:
- post company merger get user info from two (or more) different LDAP
directories
- 'normal' users from XYZ database and the sys admins from some other source
etc
If there is a risk of duplicate user names in the repositories then that
could be an issue.
To be honest, the combined realm is a potentially useful side effect of
what looks to be the easiest way of doing the lock out which is my real
focus here.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org