tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <r...@apache.org>
Subject Re: svn commit: r691805 - in /tomcat/trunk: java/org/apache/catalina/realm/ java/org/apache/catalina/startup/ webapps/docs/ webapps/docs/config/
Date Wed, 03 Sep 2008 22:31:07 GMT
On Wed, 2008-09-03 at 23:25 +0100, Mark Thomas wrote:
> markt@apache.org wrote:
> > Author: markt
> > Date: Wed Sep  3 15:18:39 2008
> > New Revision: 691805
> > 
> > URL: http://svn.apache.org/viewvc?rev=691805&view=rev
> > Log:
> > Add a new combined Realm that can be used to try authenticating against multiple
realms.

> Note that whilst users have been asking for this for a while, I wrote this
> as the basis for a LockOut Realm (to follow) that will lock out users after
>  a set number of failed logins (with lots of configuration options). This
> is in response to the incidents back in July/August where it appeared
> attackers were using brute force attacks to gain access to Tomcat webapps,
> mainly the admin and manager app. Granted these apps shouldn't be public
> facing but adding LockOut functionality to the Realms is a good idea from a
> security point of view.
> 
> The LockOut Realm will follow when I finish writing it ;)

Ah ok, but besides some special functions realms like this LockOut
thing, it does not seem to me like good security to store credentials in
multiple places :(

Rémy



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message