|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.apache.catalina.realm.RealmBase org.apache.catalina.realm.CombinedRealm org.apache.catalina.realm.LockOutRealm
public class LockOutRealm
This class extends the CombinedRealm (hence it can wrap other Realms) to provide a user lock out mechanism if there are too many failed authentication attempts in a given period of time. To ensure correct operation, there is a reasonable degree of synchronisation in this Realm. This Realm does not require modification to the underlying Realms or the associated user storage mecahisms. It achieves this by recording all failed logins, including those for users that do not exist. To prevent a DOS by deliberating making requests with invalid users (and hence causing this cache to grow) the size of the list of users that have failed authentication is limited.
Nested Class Summary | |
---|---|
protected class |
LockOutRealm.LockRecord
|
Nested classes/interfaces inherited from class org.apache.catalina.realm.RealmBase |
---|
RealmBase.AllRolesMode |
Field Summary | |
---|---|
protected int |
cacheRemovalWarningTime
If a failed user is removed from the cache because the cache is too big before it has been in the cache for at least this period of time (in seconds) a warning message will be logged. |
protected int |
cacheSize
Number of users that have failed authentication to keep in cache. |
protected java.util.Map<java.lang.String,LockOutRealm.LockRecord> |
failedUsers
Users whose last authentication attempt failed. |
protected int |
failureCount
The number of times in a row a user has to fail authentication to be locked out. |
protected int |
lockOutTime
The time (in seconds) a user is locked out for after too many authentication failures. |
Fields inherited from class org.apache.catalina.realm.CombinedRealm |
---|
realms, sm |
Fields inherited from class org.apache.catalina.realm.RealmBase |
---|
allRolesMode, container, containerLog, controller, digest, digestEncoding, domain, host, info, initialized, lifecycle, md, md5Encoder, md5Helper, mserver, oname, path, realmPath, started, support, type, validate |
Fields inherited from interface org.apache.catalina.Lifecycle |
---|
AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, DESTROY_EVENT, INIT_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT |
Constructor Summary | |
---|---|
LockOutRealm()
|
Method Summary | |
---|---|
java.security.Principal |
authenticate(java.lang.String username,
byte[] credentials)
Return the Principal associated with the specified username and credentials, if there is one; otherwise return null . |
java.security.Principal |
authenticate(java.lang.String username,
java.lang.String credentials)
Return the Principal associated with the specified username and credentials, if there is one; otherwise return null . |
java.security.Principal |
authenticate(java.lang.String username,
java.lang.String clientDigest,
java.lang.String once,
java.lang.String nc,
java.lang.String cnonce,
java.lang.String qop,
java.lang.String realmName,
java.lang.String md5a2)
Return the Principal associated with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 2069; otherwise return null . |
java.security.Principal |
authenticate(java.security.cert.X509Certificate[] certs)
Return the Principal associated with the specified chain of X509 client certificates. |
int |
getCacheRemovalWarningTime()
Get the minimum period a failed authentication must remain in the cache to avoid generating a warning if it is removed from the cache to make space for a new entry. |
int |
getCacheSize()
Get the maximum number of users for which authentication failure will be kept in the cache. |
int |
getFailureCount()
Get the number of failed authentication attempts required to lock the user account. |
int |
getLockOutTime()
Get the period for which an account will be locked. |
void |
setCacheRemovalWarningTime(int cacheRemovalWarningTime)
Set the minimum period a failed authentication must remain in the cache to avoid generating a warning if it is removed from the cache to make space for a new entry. |
void |
setCacheSize(int cacheSize)
Set the maximum number of users for which authentication failure will be kept in the cache. |
void |
setFailureCount(int failureCount)
Set the number of failed authentication attempts required to lock the user account. |
void |
setLockOutTime(int lockOutTime)
Set the period for which an account will be locked. |
void |
start()
Prepare for the beginning of active use of the public methods of this component. |
void |
unlock(java.lang.String username)
Unlock the specified username. |
Methods inherited from class org.apache.catalina.realm.CombinedRealm |
---|
addRealm, getName, getPassword, getPrincipal, getRealms, setContainer, stop |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
protected int failureCount
protected int lockOutTime
protected int cacheSize
protected int cacheRemovalWarningTime
protected java.util.Map<java.lang.String,LockOutRealm.LockRecord> failedUsers
Constructor Detail |
---|
public LockOutRealm()
Method Detail |
---|
public void start() throws LifecycleException
start
in interface Lifecycle
start
in class CombinedRealm
LifecycleException
- if this component detects a fatal error
that prevents this component from being usedpublic java.security.Principal authenticate(java.lang.String username, byte[] credentials)
null
.
authenticate
in interface Realm
authenticate
in class CombinedRealm
username
- Username of the Principal to look upcredentials
- Password or other credentials to use in
authenticating this usernamepublic java.security.Principal authenticate(java.lang.String username, java.lang.String clientDigest, java.lang.String once, java.lang.String nc, java.lang.String cnonce, java.lang.String qop, java.lang.String realmName, java.lang.String md5a2)
null
.
authenticate
in interface Realm
authenticate
in class CombinedRealm
username
- Username of the Principal to look upclientDigest
- Digest which has been submitted by the clientnOnce
- Unique (or supposedly unique) token which has been used
for this requestrealm
- Realm namemd5a2
- Second MD5 digest used to calculate the digest :
MD5(Method + ":" + uri)public java.security.Principal authenticate(java.lang.String username, java.lang.String credentials)
null
.
authenticate
in interface Realm
authenticate
in class CombinedRealm
username
- Username of the Principal to look upcredentials
- Password or other credentials to use in
authenticating this usernamepublic java.security.Principal authenticate(java.security.cert.X509Certificate[] certs)
null
.
authenticate
in interface Realm
authenticate
in class CombinedRealm
certs
- Array of client certificates, with the first one in
the array being the certificate of the client itself.public void unlock(java.lang.String username)
username
- The user to unlockpublic int getFailureCount()
public void setFailureCount(int failureCount)
failureCount
- the failureCount to setpublic int getLockOutTime()
public void setLockOutTime(int lockOutTime)
lockOutTime
- the lockOutTime to setpublic int getCacheSize()
public void setCacheSize(int cacheSize)
cacheSize
- the cacheSize to setpublic int getCacheRemovalWarningTime()
public void setCacheRemovalWarningTime(int cacheRemovalWarningTime)
cacheRemovalWarningTime
- the cacheRemovalWarningTime to set
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |