tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 59708] New: LockOutRealm Details
Date Wed, 15 Jun 2016 15:17:08 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=59708

            Bug ID: 59708
           Summary: LockOutRealm Details
           Product: Tomcat 8
           Version: 8.0.35
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
          Assignee: dev@tomcat.apache.org
          Reporter: ben@zvan.net

Documentation for LockOutRealm does not specify if failed logins due to being
locked out by the LockOutRealm count as failed logins for the purpose of
locking out a user.

For example: Lets say I'm protecting an API with LockOutRealm and the
authentication fails either due to maliciously bad password, accidentally bad
password, or back-end auth fail. This results in a LockOut condition because it
happened x times in y period. But the machines legitimately hitting the API
don't care and continue to fail to authenticate during the LockOut period. Will
the machines ever be allowed to authenticate or is this a critical failure of
the API?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message