Hi.
On 12.10.2018 16:38, Tony Esposito wrote:
Hello,
Using Tomcat 8.0.22 on Linux CentOS 6.10:
Trying to setup Tomcat to authenticate users that use Basic
Auth.
I could (possibly) enter these users into the tomcat-users.xml
file but we are dealing with 1000 potential users.
What happens instead is (of course) the users fail to
authenticate and then subsequent attempts by the same user locks the user's
account.
11-Oct-2018 16:21:37.970 WARNING [http-nio-8088-exec-25]
org.apache.catalina.realm.LockOutRealm.authenticate An attempt was made to authenticate
the locked user "myuser"
This is 'normal' since after a failed attempt to log in,
Tomcat suspects a 'brute force attack' and locks the account.
I don't want to lose that security but (as mentioned above) I can't just enter
all users into the tomcat-users.xml file
So the basic question: How to do authentication of 1000 users that use Basic
Auth?
Thanks.
Tony
There are two separate parts to this (and it is not specific to Tomcat) :
- the "basic auth" part, is the way it talks to the browser, to get a userid/pw
(in this case, through a browser popup dialog)
- the "realm", is the way that the server *verifies* the user-id/pw, with some back-end
"authority". In your case, you have specified that this realm is a file.
But it can be something else, like a database.
The two are independent, and you can mix and match according to your needs.
The on-line Tomcat documentation helps, see :
http://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org