You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Robillard, Greg L" <gr...@lmco.com> on 2010/06/30 14:50:27 UTC
Advanced LockoutRealm procedures
Using the LockoutRealm is running on my application. I am looking for some advanced features.
1. I would like to re-direct a locked user to a different error page, informing them of their locked status.
2. I would like to remove the lock time and force an administrator to remove the lock.
Has anyone worked in this realm, or should I just develop customized security.
Greg
RE: Advanced LockoutRealm procedures
Posted by "Robillard, Greg L" <gr...@lmco.com>.
Thanks
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Wednesday, June 30, 2010 9:37 AM
To: Tomcat Users List
Subject: Re: Advanced LockoutRealm procedures
On 30/06/2010 14:50, Robillard, Greg L wrote:
> Using the LockoutRealm is running on my application. I am looking for some advanced features.
>
>
> 1. I would like to re-direct a locked user to a different error page, informing them of their locked status.
That would require customizing the Realm. A patch to do this would not be accepted in the Tomcat code base since it is a (minor) security vulnerability (it tells an attacker they have a valid user id but an invalid password).
> 2. I would like to remove the lock time and force an administrator to remove the lock.
That would also require customizing the Realm. A patch to do this would be accepted providing that the current practice of using a size limited LRU cache for the locked out users remained. I'd suggest values < 0 representing infinite lockout. Note the unlock feature already exists and can be accessed via JMX.
> Has anyone worked in this realm, or should I just develop customized security.
Apart from me (I wrote it) I don't recall anyone touching that part of the code.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Advanced LockoutRealm procedures
Posted by Mark Thomas <ma...@apache.org>.
On 30/06/2010 14:50, Robillard, Greg L wrote:
> Using the LockoutRealm is running on my application. I am looking for some advanced features.
>
>
> 1. I would like to re-direct a locked user to a different error page, informing them of their locked status.
That would require customizing the Realm. A patch to do this would not
be accepted in the Tomcat code base since it is a (minor) security
vulnerability (it tells an attacker they have a valid user id but an
invalid password).
> 2. I would like to remove the lock time and force an administrator to remove the lock.
That would also require customizing the Realm. A patch to do this would
be accepted providing that the current practice of using a size limited
LRU cache for the locked out users remained. I'd suggest values < 0
representing infinite lockout. Note the unlock feature already exists
and can be accessed via JMX.
> Has anyone worked in this realm, or should I just develop customized security.
Apart from me (I wrote it) I don't recall anyone touching that part of
the code.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org