• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Jeanne Boyarsky
  • paul wheaton
  • Junilu Lacar
  • Paul Clapham
  • Knute Snortum
Saloon Keepers:
  • Stephan van Hulst
  • Ron McLeod
  • Tim Moores
  • salvin francis
  • Carey Brown
  • Tim Holloway
  • Frits Walraven
  • Vijitha Kumara

Tomcat 8 and authenticating Basic Auth users  RSS feed

Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
               Using Tomcat 8.0.22 on Linux CentOS 6.10:

               Trying to setup Tomcat to authenticate users that use Basic Auth.
               I could (possibly) enter these users into the tomcat-users.xml file but we are dealing with 1000 potential users.
               What happens instead is (of course) the users fail to authenticate and then subsequent attempts by the same user locks the user’s account.
               11-Oct-2018 16:21:37.970 WARNING [http-nio-8088-exec-25] org.apache.catalina.realm.LockOutRealm.authenticate An attempt was made to authenticate the locked user "myuser”

               This is ‘normal’ since after a failed attempt to log in, Tomcat suspects a ‘brute force attack’ and locks the account.
               I don’t want to lose that security but (as mentioned above) I can’t  just enter all users into the tomcat-users.xml file    
               So the basic question:    How to do authentication of 1000 users that use Basic Auth?  

Posts: 20566
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Tony!

Tomcat - like most J2EE and JEE webapp servers - has a plugin system for authentication and authorization. The plugins are referred to as Realms and Tomcat comes with several different Realms. The original Realm that used tomcat-users.xml was the MemoryRealm, although there are 1 or two additional Realms nowadays using it. The MemoryRealm is best used for application testing. As you've seen, it's rather awkward to work with.

Major production systems usually keep their A&A data in an external persistent store such as a database (for example, JDBCRealm) or LDAP/Active Directory (LDAPRealm). Since these are all plugin modules, you can swap them in and out without changing anything in the application WAR - it's all managed in the Tomcat configuration.

Realms can also be chained. That's what the LockoutRealm does, in fact. It just keeps track of login failures, but passes the actual userid/password and security role tests to the next Realm on the chain.

You can even create your own custom Realm modules if you have special needs. It's not very difficult.

Most Realms allow you to add/remove user authentication and authorization information any time you want. However, for security purposes, changes to a user's security roles require the user to logout and back in again.

The Realm system doesn't care whether you use Basic or Form-based authentication.
It runs on an internal combustion engine. This ad does not:
global solutions you can do in your home or backyard
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!