https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
--- Comment #3 from jchobanto...@yahoo.com --- I’m sorry but the fix is not going to expose anything to the user - the end user still is going to get unauthenticated but we are going to invoke our inner realms like JAASRealm which is not needed at all See how the filterLockedAccounts method works - it will invoke inner realm and then it will check if the user is locked - if so it will return null to the user as Principal - e.g unauthenticated - my suggestion is to just do another upfront check if the user is locked to not invoke the inner user realms because this will not change anything - the result will be unauthenticated and nothing is exposed to the user that you have lovkout realm - the result is the same - just don’t invoke inner realms unnecessary when the result will be null -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org