NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator's Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

371

372

373

374

375

376

377

378

379

380

Security Considerations

NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator’s Guide—596210-006

8-27

Realms

even users that do not exist could result in a large number of user records getting

cached, especially when the authentication of invalid users is deliberate, such as in a

denial of service attack. To prevent unlimited growth of the cache, use the cacheSize

attribute to indicate the maximum number of user records that may be cached.

Sub-Realms are defined by nesting the Realm elements inside the Realm element that

defines the LockOutRealm. Authentication will be attempted against each Realm in

the order they are listed. Successful authentication against any Realm will be sufficient

to authenticate the user.

Attributes in the NSJSPLockOutRealm

Table 8-7 lists the attributes in the NSJSPLockOutRealm.

Example 8-7 shows how to configure an NSJSPLockOutRealm that uses the

UserDatabaseRealm to authenticate users.

In Example 8-7

, users are locked out for 1 hour (3600 seconds) after 3 failed

authentication attempts.

Table 8-7. NSJSPLockOutRealm Attributes

Attribute Description

cacheRemovalW

arningTime

If a failed user cannot be added to the cache because there is

insufficient memory to accommodate the failed user, one of the existing

entries will be removed. If the removed entry has been in the cache for

a lesser interval of time than the time configured in this attribute, then a

warning message is generated.

cacheSize Specifies the maximum number of user slots to hold failed user

authentication attempts. Over a period of time, the cache will grow to

the size specified by cacheSize and may not shrink. The default size

is 1000 users.

failureCount Specifies the number of times in a row that a user has to fail

authentication to be locked out. The default value is 5.

lockOutTime Specifies the time (in seconds) that a user is locked out after too many

authentication failures. The default value is 300 (5 minutes).

Example 8-7. Configuring an NSJSPLockOutRealm

<Realm className="com.tandem.servlet.catalina.realm.NSJSPLockOutRealm"

failureCount="3"

lockOutTime="3600">

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"

resourceName="UserDatabase"/>