Thank you André for this feedback. If I may, I wish to approach this from another angle. (The user community is larger than at first anticipated).
If the header received has a certain password (which is static for all users requesting access), then bypass Basic Auth and let the user connect. (The application does more security checking and authentication on the header.) So the question becomes: How to disable Basic Auth when the header contains a password which is static for all users requesting access? Tony Esposito Sr. ETL Developer / DBA Region 10 ESC Technology and Data Services O: 972-348-1284 -----Original Message----- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Friday, October 12, 2018 11:29 AM To: users@tomcat.apache.org Subject: Re: Tomcat 8 and authenticating Basic Auth users Hi. On 12.10.2018 16:38, Tony Esposito wrote: > Hello, > Using Tomcat 8.0.22 on Linux CentOS 6.10: > > Trying to setup Tomcat to authenticate users that use Basic > Auth. > I could (possibly) enter these users into the > tomcat-users.xml file but we are dealing with 1000 potential users. > > What happens instead is (of course) the users fail to > authenticate and then subsequent attempts by the same user locks the user's > account. > > 11-Oct-2018 16:21:37.970 WARNING [http-nio-8088-exec-25] > org.apache.catalina.realm.LockOutRealm.authenticate An attempt was made to > authenticate the locked user "myuser" > > This is 'normal' since after a failed attempt to log in, > Tomcat suspects a 'brute force attack' and locks the account. > I don't want to lose that security but (as mentioned above) I can't > just enter all users into the tomcat-users.xml file > > So the basic question: How to do authentication of 1000 users that use > Basic Auth? > > Thanks. > > Tony > > There are two separate parts to this (and it is not specific to Tomcat) : - the "basic auth" part, is the way it talks to the browser, to get a userid/pw (in this case, through a browser popup dialog) - the "realm", is the way that the server *verifies* the user-id/pw, with some back-end "authority". In your case, you have specified that this realm is a file. But it can be something else, like a database. The two are independent, and you can mix and match according to your needs. The on-line Tomcat documentation helps, see : http://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
