On 30/06/2010 14:50, Robillard, Greg L wrote:
Using the LockoutRealm is running on my application. I am looking for some
advanced features.
1. I would like to re-direct a locked user to a different error page,
informing them of their locked status.
That would require customizing the Realm. A patch to do this would not
be accepted in the Tomcat code base since it is a (minor) security
vulnerability (it tells an attacker they have a valid user id but an
invalid password).
2. I would like to remove the lock time and force an administrator to
remove the lock.
That would also require customizing the Realm. A patch to do this would
be accepted providing that the current practice of using a size limited
LRU cache for the locked out users remained. I'd suggest values < 0
representing infinite lockout. Note the unlock feature already exists
and can be accessed via JMX.
Has anyone worked in this realm, or should I just develop customized security.
Apart from me (I wrote it) I don't recall anyone touching that part of
the code.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
