[Bug 63334] New: LockOutRealm will continue to invoke inner user realms even when the user is lockout

Wed, 10 Apr 2019 08:36:35 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=63334

            Bug ID: 63334
           Summary: LockOutRealm will continue to invoke inner user realms
                    even when the user is lockout
           Product: Tomcat 8
           Version: 8.5.x-trunk
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: jchobanto...@yahoo.com
  Target Milestone: ----

In case the user is lockout there is no need to invoke inner realms as the
result will always be unauthenticated user

In LockOutRealm modify each authenticate method to first check if the user is
locked out - if so then return the user is locked out without invoking inner
realms

So from this:
    @Override
    public Principal authenticate(String username, String clientDigest,
            String nonce, String nc, String cnonce, String qop,
            String realmName, String md5a2) {

        Principal authenticatedUser = super.authenticate(username,
clientDigest, nonce, nc, cnonce,
                qop, realmName, md5a2);
        return filterLockedAccounts(username, authenticatedUser);
    }

To this:

    @Override
    public Principal authenticate(String username, String clientDigest,
            String nonce, String nc, String cnonce, String qop,
            String realmName, String md5a2) {
        if (isLocked(username)) {
            // If the user is currently locked, authentication will always fail
            log.warn(sm.getString("lockOutRealm.authLockedUser", username));
            return null;
        }
        Principal authenticatedUser = super.authenticate(username,
clientDigest, nonce, nc, cnonce,
                qop, realmName, md5a2);
        return filterLockedAccounts(username, authenticatedUser);
    }

And that logic applied to all authenticate methods. This will prevent hitting
backend user realms in case the user is locked out because of invalid
username/password been used multiple times and the user got locked out - this
will act as denial of service attack prevention as well as most likely someone
could be trying to brute force guess user password and it will get each time
the user is locked out but the back end will be hit again and again no matter
that the result will be unauthenticated user

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to