5.2 Use LockOut Realms

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

A LockOut realm wraps around standard realms adding the ability to lock a user out after multiple failed logins.

Rationale:

Locking out a user after multiple failed logins slows down attackers from brute forcing logins.

Solution

Create a lockout realm wrapping the main realm similar to the example below:

<Realm className='org.apache.catalina.realm.LockOutRealm'
failureCount='3' lockOutTime='600' cacheSize='1000'
cacheRemovalWarningTime='3600'>
<Realm
className='org.apache.catalina.realm.DataSourceRealm'
dataSourceName=... />
</Realm>

See Also

https://workbench.cisecurity.org/files/4103