You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/06/20 18:23:01 UTC
svn commit: r1749375 - in /tomcat/tc8.5.x/trunk: ./ java/org/apache/catalina/realm/LockOutRealm.java webapps/docs/changelog.xml webapps/docs/config/realm.xml

Author: markt
Date: Mon Jun 20 18:23:01 2016
New Revision: 1749375

URL: http://svn.apache.org/viewvc?rev=1749375&view=rev
Log:
Modify the lock out logic. Valid authentication attempts during the lock out period will no longer reset the lock out timer to zero. 

Modified:
    tomcat/tc8.5.x/trunk/   (props changed)
    tomcat/tc8.5.x/trunk/java/org/apache/catalina/realm/LockOutRealm.java
    tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
    tomcat/tc8.5.x/trunk/webapps/docs/config/realm.xml

Propchange: tomcat/tc8.5.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Jun 20 18:23:01 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737903,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501
 ,1741677,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248,1745254,1745337,1745467,1745576,1745735,1745744,1746304,1746306-1746307,1746319,1746327,1746338,1746340-1746341,1746344,1746427,1746441,1746473,1746490,1746492,1746495-1746496,1746499-1746501,1746503-1746507,1746509,1746549,1746551,1746554,1746556,1746558,1746584,1746620,1746649,1746724,1746939,1746989,1747014,1747028,1747035,1747210,1747225,1747234,1747253,1747404,1747506,1747536,1747924,1747980,1747
 993,1748001,1748253,1748452,1748547,1748676,1748715,1749287,1749296,1749328,1749373
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737903,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501
 ,1741677,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248,1745254,1745337,1745467,1745576,1745735,1745744,1746304,1746306-1746307,1746319,1746327,1746338,1746340-1746341,1746344,1746427,1746441,1746473,1746490,1746492,1746495-1746496,1746499-1746501,1746503-1746507,1746509,1746549,1746551,1746554,1746556,1746558,1746584,1746620,1746649,1746724,1746939,1746989,1747014,1747028,1747035,1747210,1747225,1747234,1747253,1747404,1747506,1747536,1747924,1747980,1747
 993,1748001,1748253,1748452,1748547,1748629,1748676,1748715,1749287,1749296,1749328,1749373

Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/realm/LockOutRealm.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/realm/LockOutRealm.java?rev=1749375&r1=1749374&r2=1749375&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/realm/LockOutRealm.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/realm/LockOutRealm.java Mon Jun 20 18:23:01 2016
@@ -139,23 +139,9 @@ public class LockOutRealm extends Combin
             String nonce, String nc, String cnonce, String qop,
             String realmName, String md5a2) {
 
-        if (isLocked(username)) {
-            // Trying to authenticate a locked user is an automatic failure
-            registerAuthFailure(username);
-
-            log.warn(sm.getString("lockOutRealm.authLockedUser", username));
-            return null;
-        }
-
-        Principal authenticatedUser = super.authenticate(username, clientDigest,
-                nonce, nc, cnonce, qop, realmName, md5a2);
-
-        if (authenticatedUser == null) {
-            registerAuthFailure(username);
-        } else {
-            registerAuthSuccess(username);
-        }
-        return authenticatedUser;
+        Principal authenticatedUser = super.authenticate(username, clientDigest, nonce, nc, cnonce,
+                qop, realmName, md5a2);
+        return filterLockedAccounts(username, authenticatedUser);
     }
 
 
@@ -169,22 +155,8 @@ public class LockOutRealm extends Combin
      */
     @Override
     public Principal authenticate(String username, String credentials) {
-        if (isLocked(username)) {
-            // Trying to authenticate a locked user is an automatic failure
-            registerAuthFailure(username);
-
-            log.warn(sm.getString("lockOutRealm.authLockedUser", username));
-            return null;
-        }
-
         Principal authenticatedUser = super.authenticate(username, credentials);
-
-        if (authenticatedUser == null) {
-            registerAuthFailure(username);
-        } else {
-            registerAuthSuccess(username);
-        }
-        return authenticatedUser;
+        return filterLockedAccounts(username, authenticatedUser);
     }
 
 
@@ -202,22 +174,8 @@ public class LockOutRealm extends Combin
             username = certs[0].getSubjectDN().getName();
         }
 
-        if (isLocked(username)) {
-            // Trying to authenticate a locked user is an automatic failure
-            registerAuthFailure(username);
-
-            log.warn(sm.getString("lockOutRealm.authLockedUser", username));
-            return null;
-        }
-
         Principal authenticatedUser = super.authenticate(certs);
-
-        if (authenticatedUser == null) {
-            registerAuthFailure(username);
-        } else {
-            registerAuthSuccess(username);
-        }
-        return authenticatedUser;
+        return filterLockedAccounts(username, authenticatedUser);
     }
 
 
@@ -238,23 +196,9 @@ public class LockOutRealm extends Combin
 
             username = name.toString();
 
-            if (isLocked(username)) {
-                // Trying to authenticate a locked user is an automatic failure
-                registerAuthFailure(username);
+            Principal authenticatedUser = super.authenticate(gssContext, storeCreds);
 
-                log.warn(sm.getString("lockOutRealm.authLockedUser", username));
-                return null;
-            }
-
-            Principal authenticatedUser =
-                    super.authenticate(gssContext, storeCreds);
-
-            if (authenticatedUser == null) {
-                registerAuthFailure(username);
-            } else {
-                registerAuthSuccess(username);
-            }
-            return authenticatedUser;
+            return filterLockedAccounts(username, authenticatedUser);
         }
 
         // Fail in all other cases
@@ -262,6 +206,30 @@ public class LockOutRealm extends Combin
     }
 
 
+    /*
+     * Filters authenticated principals to ensure that <code>null</code> is
+     * returned for any user that is currently locked out.
+     */
+    private Principal filterLockedAccounts(String username, Principal authenticatedUser) {
+        // Register all failed authentications
+        if (authenticatedUser == null) {
+            registerAuthFailure(username);
+        }
+
+        if (isLocked(username)) {
+            // If the user is currently locked, authentication will always fail
+            log.warn(sm.getString("lockOutRealm.authLockedUser", username));
+            return null;
+        }
+
+        if (authenticatedUser != null) {
+            registerAuthSuccess(username);
+        }
+
+        return authenticatedUser;
+    }
+
+
     /**
      * Unlock the specified username. This will remove all records of
      * authentication failures for this user.

Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1749375&r1=1749374&r2=1749375&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Mon Jun 20 18:23:01 2016
@@ -79,6 +79,11 @@
         at that point and the web resources may not be correctly configured.
         (markt)
       </fix>
+      <fix>
+        <bug>59708</bug>: Modify the LockOutRealm logic. Valid authentication
+        attempts during the lock out period will no longer reset the lock out
+        timer to zero. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

Modified: tomcat/tc8.5.x/trunk/webapps/docs/config/realm.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/config/realm.xml?rev=1749375&r1=1749374&r2=1749375&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/config/realm.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/config/realm.xml Mon Jun 20 18:23:01 2016
@@ -1034,7 +1034,11 @@
 
       <attribute name="lockOutTime" required="false">
        <p>The time (in seconds) a user is locked out for after too many
-       authentication failures. Defaults to 300 (5 minutes).</p>
+       authentication failures. Defaults to 300 (5 minutes). Further
+       authentication failures during the lock out time will cause the lock out
+       timer to reset to zero, effectively extending the lock out time. Valid
+       authentication attempts during the lock out period will not succeed but
+       will also not reset the lock out time.</p>
       </attribute>
 
     </attributes>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org