You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/07/01 11:57:07 UTC
svn commit: r959580 - in /tomcat/trunk: conf/server.xml webapps/docs/changelog.xml

Author: markt
Date: Thu Jul  1 09:57:07 2010
New Revision: 959580

URL: http://svn.apache.org/viewvc?rev=959580&view=rev
Log:
Improve default security settings. Enable the LockOutRealm by default.

Modified:
    tomcat/trunk/conf/server.xml
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/conf/server.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/server.xml?rev=959580&r1=959579&r2=959580&view=diff
==============================================================================
--- tomcat/trunk/conf/server.xml (original)
+++ tomcat/trunk/conf/server.xml Thu Jul  1 09:57:07 2010
@@ -106,12 +106,16 @@
       <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
       -->        
 
-      <!-- This Realm uses the UserDatabase configured in the global JNDI
-           resources under the key "UserDatabase".  Any edits
-           that are performed against this UserDatabase are immediately
-           available for use by the Realm.  -->
-      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-             resourceName="UserDatabase"/>
+      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+           via a brute-force attack -->
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
+        <!-- This Realm uses the UserDatabase configured in the global JNDI
+             resources under the key "UserDatabase".  Any edits
+             that are performed against this UserDatabase are immediately
+             available for use by the Realm.  -->
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+               resourceName="UserDatabase"/>
+      </Realm>
 
       <!-- Define the default virtual host
            Note: XML Schema validation will not work with Xerces 2.2.

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=959580&r1=959579&r2=959580&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Jul  1 09:57:07 2010
@@ -75,6 +75,10 @@
         Add support for <code>*.jar</code> pattern in VirtualWebappLoader.
         (kkolinko)
       </add>
+      <add>
+        Use a LockOutRealm in the default configuration to prevent attempts to
+        guess user passwords by brute-force. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org