[Bug 63334] LockOutRealm will continue to invoke inner user realms even when the user is lockout

bugzilla Wed, 10 Apr 2019 09:30:19 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=63334


Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
The proposed change would expose the LockOut Realm to a timing attack enabling
a malicious user to determine if the Lockout Realm was in used its
configuration.

If repeated authentication requests trigger a DoS then that is a separate issue
that requires a separate (non-Tomcat) solution.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63334] LockOutRealm will continue to invoke inner user realms even when the user is lockout

Reply via email to