Tuesday, February 23, 2010

New in Tomcat 6.0.19 - Realm lock-out feature

NOW they tell me.  Man it pays to RTFM...

http://www.jeremythomerson.com/blog/2008/11/apachecon-securing-apache-tomcat-for-your-environment/

New in 6.0.19 [the] LockOut realm - it wraps around standard realms and provides a lock-out mechanism for multiple failed attempts for the same user.  With this, there will also be the ability to have multiple realms for authentication - if any match, you get access - so you could use, for example, a tomcat users file for admins and a JNDI realm for users.

Full details here:
http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html

You just wrap this around your existing realm (JDBC in our case).  I got this working and it will serve as a "backup" to my custom login attempts table.  The LockOut realm will prevent a brute force attack that hits the JAAS servlet directly.

No comments: