How do LockOutRealms work ?

I am confused with the functioning of LockOutRealms in Tomcat.

My questions are as follows-:

Say user at IP 10.10.10.1 has reached the maximum number of invalid login attempts and is locked out. Now say a user from 10.10.10.2 attempts to login, will Tomcat stop him too since he is trying to login for the first time ? If not then how does Tomcat keep track of users that are locked out ? Via there IP's ?

When a user is locked out what message is displayed ? Can I display a custom HTML page when a user has been locked out ? In other words how much control do I have over the lock out process and what error messages are shown ?

Although a quick check of the documentation didn't say, the usual lockout mechanism is to lock the userID, not the IP address. IP addresses are generally locked out at the firewall. Tomcat doesn't mark the account permanently locked like some systems do (requiring a security administrator to explicitly unlock it again. It just keeps a cache of banned IDs with lockout countdown times. Locking out by source IP is very rare. Sometimes a user will have an alternate account that they are authorized to use, and in the case of IPv4 NAT, dozens, hundreds, or even thousands of users would all be carrying the same source IP address. Mostly when I ban an IP it's from some really blatant offender such as Taiwan HINET, which seems to exist solely to provide Internet vandals a home.

Again, the docs didn't say, but I'd expect that a banned ID would be presented with a 403 - FORBIDDEN page.

Incidentally, since the lockout is by ID, not IP, public parts of the webapp should still be accessible to the locked-out user. However any attempt to access a secured URL would again trigger the server's login mechanism and if you them attempted to login using the banned ID, the login would be rejected.