Remy Maucherat wrote: > On Wed, 2008-09-03 at 23:25 +0100, Mark Thomas wrote: >> [EMAIL PROTECTED] wrote: >>> Author: markt >>> Date: Wed Sep 3 15:18:39 2008 >>> New Revision: 691805 >>> >>> URL: http://svn.apache.org/viewvc?rev=691805&view=rev >>> Log: >>> Add a new combined Realm that can be used to try authenticating against >>> multiple realms. > >> Note that whilst users have been asking for this for a while, I wrote this >> as the basis for a LockOut Realm (to follow) that will lock out users after >> a set number of failed logins (with lots of configuration options). This >> is in response to the incidents back in July/August where it appeared >> attackers were using brute force attacks to gain access to Tomcat webapps, >> mainly the admin and manager app. Granted these apps shouldn't be public >> facing but adding LockOut functionality to the Realms is a good idea from a >> security point of view. >> >> The LockOut Realm will follow when I finish writing it ;) > > Ah ok, but besides some special functions realms like this LockOut > thing, it does not seem to me like good security to store credentials in > multiple places :(
There are pros and cons of a single user repository. Just about every organisation I have ever worked with has had multiple user repositories of one form or another. I'd have to go back over the user archives but the sort of requirements I recall are things like: - post company merger get user info from two (or more) different LDAP directories - 'normal' users from XYZ database and the sys admins from some other source etc If there is a risk of duplicate user names in the repositories then that could be an issue. To be honest, the combined realm is a potentially useful side effect of what looks to be the easiest way of doing the lock out which is my real focus here. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
