https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
Bug ID: 63334 Summary: LockOutRealm will continue to invoke inner user realms even when the user is lockout Product: Tomcat 8 Version: 8.5.x-trunk Hardware: PC Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: jchobanto...@yahoo.com Target Milestone: ---- In case the user is lockout there is no need to invoke inner realms as the result will always be unauthenticated user In LockOutRealm modify each authenticate method to first check if the user is locked out - if so then return the user is locked out without invoking inner realms So from this: @Override public Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realmName, String md5a2) { Principal authenticatedUser = super.authenticate(username, clientDigest, nonce, nc, cnonce, qop, realmName, md5a2); return filterLockedAccounts(username, authenticatedUser); } To this: @Override public Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realmName, String md5a2) { if (isLocked(username)) { // If the user is currently locked, authentication will always fail log.warn(sm.getString("lockOutRealm.authLockedUser", username)); return null; } Principal authenticatedUser = super.authenticate(username, clientDigest, nonce, nc, cnonce, qop, realmName, md5a2); return filterLockedAccounts(username, authenticatedUser); } And that logic applied to all authenticate methods. This will prevent hitting backend user realms in case the user is locked out because of invalid username/password been used multiple times and the user got locked out - this will act as denial of service attack prevention as well as most likely someone could be trying to brute force guess user password and it will get each time the user is locked out but the back end will be hit again and again no matter that the result will be unauthenticated user -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org