• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Devaka Cooray
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Junilu Lacar
  • Paul Clapham
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • salvin francis
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

Tomcat 8 and authenticating Basic Auth users  RSS feed

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,
               Using Tomcat 8.0.22 on Linux CentOS 6.10:

               Trying to setup Tomcat to authenticate users that use Basic Auth.
               I could (possibly) enter these users into the tomcat-users.xml file but we are dealing with 1000 potential users.
               
               What happens instead is (of course) the users fail to authenticate and then subsequent attempts by the same user locks the user’s account.
               
               11-Oct-2018 16:21:37.970 WARNING [http-nio-8088-exec-25] org.apache.catalina.realm.LockOutRealm.authenticate An attempt was made to authenticate the locked user "myuser”

               This is ‘normal’ since after a failed attempt to log in, Tomcat suspects a ‘brute force attack’ and locks the account.
               I don’t want to lose that security but (as mentioned above) I can’t  just enter all users into the tomcat-users.xml file    
               
               So the basic question:    How to do authentication of 1000 users that use Basic Auth?  

Thanks.
 
Bartender
Posts: 20310
110
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Tony!

Tomcat - like most J2EE and JEE webapp servers - has a plugin system for authentication and authorization. The plugins are referred to as Realms and Tomcat comes with several different Realms. The original Realm that used tomcat-users.xml was the MemoryRealm, although there are 1 or two additional Realms nowadays using it. The MemoryRealm is best used for application testing. As you've seen, it's rather awkward to work with.

Major production systems usually keep their A&A data in an external persistent store such as a database (for example, JDBCRealm) or LDAP/Active Directory (LDAPRealm). Since these are all plugin modules, you can swap them in and out without changing anything in the application WAR - it's all managed in the Tomcat configuration.

Realms can also be chained. That's what the LockoutRealm does, in fact. It just keeps track of login failures, but passes the actual userid/password and security role tests to the next Realm on the chain.

You can even create your own custom Realm modules if you have special needs. It's not very difficult.

Most Realms allow you to add/remove user authentication and authorization information any time you want. However, for security purposes, changes to a user's security roles require the user to logout and back in again.

The Realm system doesn't care whether you use Basic or Form-based authentication.
 
All of the world's problems can be solved in a garden - Geoff Lawton. Tiny ad:
RavenDB is an Open Source NoSQL Database that’s fully transactional (ACID) across your database
https://coderanch.com/t/704633/RavenDB-Open-Source-NoSQL-Database
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!