You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/07/01 11:57:07 UTC
svn commit: r959580 - in /tomcat/trunk: conf/server.xml
webapps/docs/changelog.xml
Author: markt
Date: Thu Jul 1 09:57:07 2010
New Revision: 959580
URL: http://svn.apache.org/viewvc?rev=959580&view=rev
Log:
Improve default security settings. Enable the LockOutRealm by default.
Modified:
tomcat/trunk/conf/server.xml
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/conf/server.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/server.xml?rev=959580&r1=959579&r2=959580&view=diff
==============================================================================
--- tomcat/trunk/conf/server.xml (original)
+++ tomcat/trunk/conf/server.xml Thu Jul 1 09:57:07 2010
@@ -106,12 +106,16 @@
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
- <!-- This Realm uses the UserDatabase configured in the global JNDI
- resources under the key "UserDatabase". Any edits
- that are performed against this UserDatabase are immediately
- available for use by the Realm. -->
- <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
- resourceName="UserDatabase"/>
+ <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+ via a brute-force attack -->
+ <Realm className="org.apache.catalina.realm.LockOutRealm">
+ <!-- This Realm uses the UserDatabase configured in the global JNDI
+ resources under the key "UserDatabase". Any edits
+ that are performed against this UserDatabase are immediately
+ available for use by the Realm. -->
+ <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+ resourceName="UserDatabase"/>
+ </Realm>
<!-- Define the default virtual host
Note: XML Schema validation will not work with Xerces 2.2.
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=959580&r1=959579&r2=959580&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Jul 1 09:57:07 2010
@@ -75,6 +75,10 @@
Add support for <code>*.jar</code> pattern in VirtualWebappLoader.
(kkolinko)
</add>
+ <add>
+ Use a LockOutRealm in the default configuration to prevent attempts to
+ guess user passwords by brute-force. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org