Advanced LockoutRealm procedures
Using the LockoutRealm is running on my application. I am looking for some advanced features. 1.I would like to re-direct a locked user to a different error page, informing them of their locked status. 2. I would like to remove the lock time and force an administrator to remove the lock. Has anyone worked in this realm, or should I just develop customized security. Greg
Re: Advanced LockoutRealm procedures
On 30/06/2010 14:50, Robillard, Greg L wrote: Using the LockoutRealm is running on my application. I am looking for some advanced features. 1.I would like to re-direct a locked user to a different error page, informing them of their locked status. That would require customizing the Realm. A patch to do this would not be accepted in the Tomcat code base since it is a (minor) security vulnerability (it tells an attacker they have a valid user id but an invalid password). 2. I would like to remove the lock time and force an administrator to remove the lock. That would also require customizing the Realm. A patch to do this would be accepted providing that the current practice of using a size limited LRU cache for the locked out users remained. I'd suggest values 0 representing infinite lockout. Note the unlock feature already exists and can be accessed via JMX. Has anyone worked in this realm, or should I just develop customized security. Apart from me (I wrote it) I don't recall anyone touching that part of the code. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Advanced LockoutRealm procedures
Thanks -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Wednesday, June 30, 2010 9:37 AM To: Tomcat Users List Subject: Re: Advanced LockoutRealm procedures On 30/06/2010 14:50, Robillard, Greg L wrote: Using the LockoutRealm is running on my application. I am looking for some advanced features. 1.I would like to re-direct a locked user to a different error page, informing them of their locked status. That would require customizing the Realm. A patch to do this would not be accepted in the Tomcat code base since it is a (minor) security vulnerability (it tells an attacker they have a valid user id but an invalid password). 2. I would like to remove the lock time and force an administrator to remove the lock. That would also require customizing the Realm. A patch to do this would be accepted providing that the current practice of using a size limited LRU cache for the locked out users remained. I'd suggest values 0 representing infinite lockout. Note the unlock feature already exists and can be accessed via JMX. Has anyone worked in this realm, or should I just develop customized security. Apart from me (I wrote it) I don't recall anyone touching that part of the code. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
