-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tony,
On 10/12/18 14:45, Tony Esposito wrote: > Thank you André for this feedback. > > If I may, I wish to approach this from another angle. (The user > community is larger than at first anticipated). Since you are switching away from tomcat-users.xml to a real data store, why does a larger user community change things further? > If the header received has a certain password (which is static for > all users requesting access), then bypass Basic Auth and let the > user connect. > > (The application does more security checking and authentication on > the header.) > > So the question becomes: > > How to disable Basic Auth when the header contains a password > which is static for all users requesting access? This make zero sense. HTTP Basic authentication will require the user to enter their credentials. Once they enter their credentials, you'll inspect the password for some magic value and then you want to retroactively DISABLE HTTP Basic auth? I believe that requires timey-wimeyness. Why not simply always require username+password, and then opportunistically perform additional checks (as mentioned, but not described) above? Once the user has authenticated successfully, the browser will continue to send the username+password with each successive request and the user won't be asked again for their credentials. The definition of "authenticated successfully" from the browser's view is when the server stops sending the "WWW-Authenticate" response header. BTW static password == bad bad bad bad bad bad bad bad bad If you have a static password, why bother asking for it in the first place? It's like requiring a username + password for a terminal and then stamping the username and password on the monitor. You may as well remove the challenge. - -chris > -----Original Message----- From: André Warnier (tomcat) > [mailto:a...@ice-sa.com] Sent: Friday, October 12, 2018 11:29 AM To: > users@tomcat.apache.org Subject: Re: Tomcat 8 and authenticating > Basic Auth users > > Hi. > > On 12.10.2018 16:38, Tony Esposito wrote: >> Hello, Using Tomcat 8.0.22 on Linux CentOS 6.10: >> >> Trying to setup Tomcat to authenticate users that use Basic >> Auth. I could (possibly) enter these users into the >> tomcat-users.xml file but we are dealing with 1000 potential >> users. >> >> What happens instead is (of course) the users fail to >> authenticate and then subsequent attempts by the same user locks >> the user's account. >> >> 11-Oct-2018 16:21:37.970 WARNING [http-nio-8088-exec-25] >> org.apache.catalina.realm.LockOutRealm.authenticate An attempt >> was made to authenticate the locked user "myuser" >> >> This is 'normal' since after a failed attempt to log in, Tomcat >> suspects a 'brute force attack' and locks the account. I don't >> want to lose that security but (as mentioned above) I can't just >> enter all users into the tomcat-users.xml file >> >> So the basic question: How to do authentication of 1000 users >> that use Basic Auth? >> >> Thanks. >> >> Tony >> >> > > There are two separate parts to this (and it is not specific to > Tomcat) : > > - the "basic auth" part, is the way it talks to the browser, to get > a userid/pw (in this case, through a browser popup dialog) > > - the "realm", is the way that the server *verifies* the > user-id/pw, with some back-end "authority". In your case, you have > specified that this realm is a file. But it can be something else, > like a database. > > The two are independent, and you can mix and match according to > your needs. The on-line Tomcat documentation helps, see : > http://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvA9ScACgkQHPApP6U8 pFizahAAk4TDR1Jo5+xTNzQaeJxji8mwRl7LHj0FbSz3vwFwf6QHpWJHgIjzAQEV EdOnjUN7jpX1ux4Ehnh6wriBvrxbONPJjNbpfyKakvpjbb16VGX9mStvu/UnmR0P cPAZUHKQL1iZrYjas7+wby77kb2BeeeIaN8F7cJd/73HPciE2CvsVEM3pElRY27n lCLmHmFMYtUJfkPwvONMdTVVcT5RJqODk0D9l0Kg6cC3R9UbVu+IOwVgNWpkCxEw Wzw8cgICNFhI+cm1l9GZ2t9YmA61rvjwARBpAoVJX114nfC5sGwElHzaX5x3JLkb h9w1DMrcAzDOENTlREOcj/PzWqynku7iKs6F5FOCC+3ao8SY1A+43uj8SBsT3myv H3BOQETayloExs0m85GgSOuOaQr5I1x+IciCVz/CsG939xqQRPxn+/Km+xqFfkeb KZ4DZNxnppaff6lTHHjjmbf619ncqF4i/86dwmeh9wkNAPeanKSP+ULGgmDVd8WL k2i3GJZWJ3ACh8Yrx0no3XPUQHo0xRzhid1MN10EVMGC+q8+e1m7G73RPURUTPYT uY3Ux58iNh0N4nIk32euSp6QAq9KBxHPz5ETeYkr2qCaev/7uzAZ/srcMZyZiFlJ y4BneoifV49+6uyor6DKosepnTcUj8uX/vZ1JKkj2ZyaYhNSL/Q= =aESq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
