tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 59708] New: LockOutRealm Details
Date Wed, 15 Jun 2016 15:17:08 GMT

            Bug ID: 59708
           Summary: LockOutRealm Details
           Product: Tomcat 8
           Version: 8.0.35
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation

Documentation for LockOutRealm does not specify if failed logins due to being
locked out by the LockOutRealm count as failed logins for the purpose of
locking out a user.

For example: Lets say I'm protecting an API with LockOutRealm and the
authentication fails either due to maliciously bad password, accidentally bad
password, or back-end auth fail. This results in a LockOut condition because it
happened x times in y period. But the machines legitimately hitting the API
don't care and continue to fail to authenticate during the LockOut period. Will
the machines ever be allowed to authenticate or is this a critical failure of
the API?

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message