tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Realm.authenticate() failure
Date Sat, 19 Feb 2000 00:26:09 GMT
Peter Blakeley wrote:

> [snip]

> As to fending off basic dictionary attacks I presume that you could
> create a custom SecurityInterceptor that introduces a delay of
> increasing length upon each attempted authentication probably based upon
> IP address?

You absolutely could, although IP address may not be the right criteria -- in an
environment where users are behind a firewall, it is common to have them all
appear (to a public Internet site) for them to be from the same IP address.

What you might do instead, though, is to establish a session anyway (such as via
a cookie) so that you can detect how many tries there have been.  Along with the
increasing delay, you'd probably want to start logging repeated attempts after a
certain threshold number (configurable), and/or do a "lockout" on that particular
username after a certain number of failures, for a certain amount of time.  All
of this would be really easy if you had session identity already established.

I've seen these types of concepts implemented in various Unix flavors -- it's not
at all hard to visualize them used in a web environment as well.

Craig McClanahan

View raw message