Improve default security settings. Enable the LockOutRealm by default.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@959580 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/conf/server.xml b/conf/server.xml
index 338f430..86ad0be 100644 (file)
--- a/conf/server.xml
+++ b/conf/server.xml
@@ -106,12 +106,16 @@
       <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
       -->        
 
-      <!-- This Realm uses the UserDatabase configured in the global JNDI
-           resources under the key "UserDatabase".  Any edits
-           that are performed against this UserDatabase are immediately
-           available for use by the Realm.  -->
-      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-             resourceName="UserDatabase"/>
+      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+           via a brute-force attack -->
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
+        <!-- This Realm uses the UserDatabase configured in the global JNDI
+             resources under the key "UserDatabase".  Any edits
+             that are performed against this UserDatabase are immediately
+             available for use by the Realm.  -->
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+               resourceName="UserDatabase"/>
+      </Realm>
 
       <!-- Define the default virtual host
            Note: XML Schema validation will not work with Xerces 2.2.

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index af472be..da0bb0a 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -75,6 +75,10 @@
         Add support for <code>*.jar</code> pattern in VirtualWebappLoader.
         (kkolinko)
       </add>
+      <add>
+        Use a LockOutRealm in the default configuration to prevent attempts to
+        guess user passwords by brute-force. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">