Win a copy of Microservices in Action this week in the Web Services forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • paul wheaton
Saloon Keepers:
  • Ganesh Patekar
  • Frits Walraven
  • Tim Moores
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Stephan van Hulst
  • salvin francis
  • Tim Holloway

Tomcat 8 and authenticating Basic Auth users  RSS feed

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,
               Using Tomcat 8.0.22 on Linux CentOS 6.10:

               Trying to setup Tomcat to authenticate users that use Basic Auth.
               I could (possibly) enter these users into the tomcat-users.xml file but we are dealing with 1000 potential users.
               
               What happens instead is (of course) the users fail to authenticate and then subsequent attempts by the same user locks the user’s account.
               
               11-Oct-2018 16:21:37.970 WARNING [http-nio-8088-exec-25] org.apache.catalina.realm.LockOutRealm.authenticate An attempt was made to authenticate the locked user "myuser”

               This is ‘normal’ since after a failed attempt to log in, Tomcat suspects a ‘brute force attack’ and locks the account.
               I don’t want to lose that security but (as mentioned above) I can’t  just enter all users into the tomcat-users.xml file    
               
               So the basic question:    How to do authentication of 1000 users that use Basic Auth?  

Thanks.
 
Bartender
Posts: 19996
95
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Tony!

Tomcat - like most J2EE and JEE webapp servers - has a plugin system for authentication and authorization. The plugins are referred to as Realms and Tomcat comes with several different Realms. The original Realm that used tomcat-users.xml was the MemoryRealm, although there are 1 or two additional Realms nowadays using it. The MemoryRealm is best used for application testing. As you've seen, it's rather awkward to work with.

Major production systems usually keep their A&A data in an external persistent store such as a database (for example, JDBCRealm) or LDAP/Active Directory (LDAPRealm). Since these are all plugin modules, you can swap them in and out without changing anything in the application WAR - it's all managed in the Tomcat configuration.

Realms can also be chained. That's what the LockoutRealm does, in fact. It just keeps track of login failures, but passes the actual userid/password and security role tests to the next Realm on the chain.

You can even create your own custom Realm modules if you have special needs. It's not very difficult.

Most Realms allow you to add/remove user authentication and authorization information any time you want. However, for security purposes, changes to a user's security roles require the user to logout and back in again.

The Realm system doesn't care whether you use Basic or Form-based authentication.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!