Thanks -----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Wednesday, June 30, 2010 9:37 AM To: Tomcat Users List Subject: Re: Advanced LockoutRealm procedures
On 30/06/2010 14:50, Robillard, Greg L wrote: > Using the LockoutRealm is running on my application. I am looking for some > advanced features. > > > 1. I would like to re-direct a locked user to a different error page, > informing them of their locked status. That would require customizing the Realm. A patch to do this would not be accepted in the Tomcat code base since it is a (minor) security vulnerability (it tells an attacker they have a valid user id but an invalid password). > 2. I would like to remove the lock time and force an administrator to > remove the lock. That would also require customizing the Realm. A patch to do this would be accepted providing that the current practice of using a size limited LRU cache for the locked out users remained. I'd suggest values < 0 representing infinite lockout. Note the unlock feature already exists and can be accessed via JMX. > Has anyone worked in this realm, or should I just develop customized security. Apart from me (I wrote it) I don't recall anyone touching that part of the code. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
