Trying to setup Tomcat to authenticate users that use Basic Auth.
I could (possibly) enter these users into the tomcat-users.xml file but we are dealing with 1000 potential users.
What happens instead is (of course) the users fail to authenticate and then subsequent attempts by the same user locks the user’s account.
11-Oct-2018 16:21:37.970 WARNING [http-nio-8088-exec-25] org.apache.catalina.realm.LockOutRealm.authenticate An attempt was made to authenticate the locked user "myuser”
This is ‘normal’ since after a failed attempt to log in, Tomcat suspects a ‘brute force attack’ and locks the account.
I don’t want to lose that security but (as mentioned above) I can’t just enter all users into the tomcat-users.xml file
So the basic question: How to do authentication of 1000 users that use Basic Auth?
Tomcat - like most J2EE and JEE webapp servers - has a plugin system for authentication and authorization. The plugins are referred to as Realms and Tomcat comes with several different Realms. The original Realm that used tomcat-users.xml was the MemoryRealm, although there are 1 or two additional Realms nowadays using it. The MemoryRealm is best used for application testing. As you've seen, it's rather awkward to work with.
Major production systems usually keep their A&A data in an external persistent store such as a database (for example, JDBCRealm) or LDAP/Active Directory (LDAPRealm). Since these are all plugin modules, you can swap them in and out without changing anything in the application WAR - it's all managed in the Tomcat configuration.
Realms can also be chained. That's what the LockoutRealm does, in fact. It just keeps track of login failures, but passes the actual userid/password and security role tests to the next Realm on the chain.
You can even create your own custom Realm modules if you have special needs. It's not very difficult.
Most Realms allow you to add/remove user authentication and authorization information any time you want. However, for security purposes, changes to a user's security roles require the user to logout and back in again.
The Realm system doesn't care whether you use Basic or Form-based authentication.
An IDE is no substitute for an Intelligent Developer.