http://www.jeremythomerson.com/blog/2008/11/apachecon-securing-apache-tomcat-for-your-environment/
New in 6.0.19 [the] LockOut realm - it wraps around standard realms and provides a lock-out mechanism for multiple failed attempts for the same user. With this, there will also be the ability to have multiple realms for authentication - if any match, you get access - so you could use, for example, a tomcat users file for admins and a JNDI realm for users.
Full details here:
http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html
You just wrap this around your existing realm (JDBC in our case). I got this working and it will serve as a "backup" to my custom login attempts table. The LockOut realm will prevent a brute force attack that hits the JAAS servlet directly.
Posts
No comments:
Post a Comment