https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
--- Comment #5 from jchobanto...@yahoo.com --- Thank you for clarifying your point that attacker could determine there is a lockout realm installed based on the speed of the request/response, although this is questionable as if you are dealing with security systems that are in the backend accessed using network each response could vary from few millisec to a sec or more - so it will be hard to know if the lockout is in place or not. Let me put it this way - the fact that you could know there is lockout realm do not give you advantage at all - and I think it would be just the opposite as if you know there is lockout realm you will not try to break the system as it will take insane amount of time for you - it just telling you that the authentication won't be performed at all - either you provide invalid or valid username/password it won't matter - and let's be frank here - an attacker (if any better) will know and assume there is some lockout in place but the lockout is there to prevent you from bombarding the server and slow you down - the purpose is not whether or not the attacker knows about it - even Apple and their iPhones will tell you that the phone is lockout and you should try in couple of minutes after that - it will not tell you that the password is invalid yet again as this only achieve confusion in your users Back at why hitting backend security systems when you determine to lockout the user is bad choice - some of the backend systems are actually charging you real money for the amount of security requests made to those systems - if you are going to block the user upfront why do I want ever to make a request to those systems ? If your concern is about timing and the attacker to know there is lock mechanism in place - just put a timer and get how long it will take a regular request to complete - then when the user is lock out do a Thread.wait () to simulate backend processing so that the user won't suspect a different behavior - but again even if the end user knows there is lockout, how many tries and for how long - what you are going to do ? Although I admit that people look at this as small security concern because you know how things at the backends works it doesn't mean that you know how to circumvent that - and as I said a real attacker would expect lockout even if not reported At least put a property on LockOutRealm whether or not it should hit the inner realms in case of lockout so that we could configure this in server.xml and not for us to provide a new class in order to achieve that. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
