https://bz.apache.org/bugzilla/show_bug.cgi?id=59708
Bug ID: 59708
Summary: LockOutRealm Details
Product: Tomcat 8
Version: 8.0.35
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
Assignee: [email protected]
Reporter: [email protected]
Documentation for LockOutRealm does not specify if failed logins due to being
locked out by the LockOutRealm count as failed logins for the purpose of
locking out a user.
For example: Lets say I'm protecting an API with LockOutRealm and the
authentication fails either due to maliciously bad password, accidentally bad
password, or back-end auth fail. This results in a LockOut condition because it
happened x times in y period. But the machines legitimately hitting the API
don't care and continue to fail to authenticate during the LockOut period. Will
the machines ever be allowed to authenticate or is this a critical failure of
the API?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
