https://bz.apache.org/bugzilla/show_bug.cgi?id=59708
--- Comment #5 from Mark Thomas ---
Yes, authentication is now always checked so Tomcat can vary the behaviour
during a lock out depending on whether the authentication credentials provided
were valid or not.
For more details, you can always l
https://bz.apache.org/bugzilla/show_bug.cgi?id=59708
--- Comment #4 from Ben ---
Thanks for this fix. I'd like to ask one more technical question about it: Are
the wrapped realms authenticated before the lockout or is the lockout checked
before attempting real authentication?
Example:
If I
https://bz.apache.org/bugzilla/show_bug.cgi?id=59708
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=59708
--- Comment #2 from Ben ---
Thanks for the clarification. I look forward to seeing this progress.
--
You are receiving this mail because:
You are the assignee for the bug.
-
https://bz.apache.org/bugzilla/show_bug.cgi?id=59708
--- Comment #1 from Mark Thomas ---
Thanks for the report.
To answer the question, the LockOutRealm currently treats any authentication
attempt during the lock out period as a failure. This does mean that once an
account is locked out, if the
