Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 47249 invoked from network); 3 Sep 2008 22:31:47 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 Sep 2008 22:31:47 -0000 Received: (qmail 98634 invoked by uid 500); 3 Sep 2008 22:31:38 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 98581 invoked by uid 500); 3 Sep 2008 22:31:38 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 98570 invoked by uid 99); 3 Sep 2008 22:31:38 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Sep 2008 15:31:38 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [212.27.42.36] (HELO smtp6-g19.free.fr) (212.27.42.36) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Sep 2008 22:30:39 +0000 Received: from smtp6-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp6-g19.free.fr (Postfix) with ESMTP id 26FF119725 for ; Thu, 4 Sep 2008 00:31:09 +0200 (CEST) Received: from [192.168.0.11] (lap34-1-82-224-140-72.fbx.proxad.net [82.224.140.72]) by smtp6-g19.free.fr (Postfix) with ESMTP id 0909219762 for ; Thu, 4 Sep 2008 00:31:08 +0200 (CEST) Subject: Re: svn commit: r691805 - in /tomcat/trunk: java/org/apache/catalina/realm/ java/org/apache/catalina/startup/ webapps/docs/ webapps/docs/config/ From: Remy Maucherat To: Tomcat Developers List In-Reply-To: <48BF0EC2.5020601@apache.org> References: <20080903221842.5E899238899B@eris.apache.org> <48BF0EC2.5020601@apache.org> Content-Type: text/plain; charset=utf-8 Date: Thu, 04 Sep 2008 00:31:07 +0200 Message-Id: <1220481067.2940.21.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 (2.22.3.1-1.fc9) Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org On Wed, 2008-09-03 at 23:25 +0100, Mark Thomas wrote: > markt@apache.org wrote: > > Author: markt > > Date: Wed Sep 3 15:18:39 2008 > > New Revision: 691805 > > > > URL: http://svn.apache.org/viewvc?rev=691805&view=rev > > Log: > > Add a new combined Realm that can be used to try authenticating against multiple realms. > Note that whilst users have been asking for this for a while, I wrote this > as the basis for a LockOut Realm (to follow) that will lock out users after > a set number of failed logins (with lots of configuration options). This > is in response to the incidents back in July/August where it appeared > attackers were using brute force attacks to gain access to Tomcat webapps, > mainly the admin and manager app. Granted these apps shouldn't be public > facing but adding LockOut functionality to the Realms is a good idea from a > security point of view. > > The LockOut Realm will follow when I finish writing it ;) Ah ok, but besides some special functions realms like this LockOut thing, it does not seem to me like good security to store credentials in multiple places :( Rémy --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org