如何解决Tomcat警告：试图验证锁定的用户？

Question

我正在使用Tomcat 7进行Spring和JPA Application，数据库MySQL。 一切正常，但有时会出现realm.LockOutRealm验证问题。我还使用连接池在我的应用程序，如：

的persistence.xml：

<properties> 
     <property name="hibernate.connection.username" value="---"/> 
     <property name="hibernate.connection.driver_class" value="com.mysql.jdbc.Driver"/> 
     <property name="hibernate.connection.password" value="----------"/> 
     <property name="hibernate.connection.url" value="jdbc:mysql://----------?autoReconnect=true"/> 
     <!--Connection Pooling c3p0 configuration--> 
     <!--Minimum number of JDBC connections in the pool. Hibernate default: 1--> 
     <property name="hibernate.c3p0.min_size" value="5"/> 
     <!--Maximum number of JDBC connections in the pool. Hibernate default: 100--> 
     <property name="hibernate.c3p0.max_size" value="20"/> 
     <!--When an idle connection is removed from the pool (in second). Hibernate default: 0, never expire.--> 
     <property name="hibernate.c3p0.timeout" value="300"/> 
     <!--Number of prepared statements will be cached. Increase performance. Hibernate default: 0 , caching is disable.--> 
     <property name="hibernate.c3p0.max_statements" value="50"/> 
     <!--idle time in seconds before a connection is automatically validated. Hibernate default: 0--> 
     <property name="hibernate.c3p0.idle_test_period" value="300"/> 
</properties> 

和server.xml中境界的样子：

<!-- Use the LockOutRealm to prevent attempts to guess user passwords 
      via a brute-force attack --> 
     <Realm className="org.apache.catalina.realm.LockOutRealm"> 
     <!-- This Realm uses the UserDatabase configured in the global JNDI 
      resources under the key "UserDatabase". Any edits 
      that are performed against this UserDatabase are immediately 
      available for use by the Realm. --> 
     <Realm className="org.apache.catalina.realm.UserDatabaseRealm" 
       resourceName="UserDatabase"/> 
     </Realm> 

     <Host name="localhost" appBase="webapps" 
      unpackWARs="true" autoDeploy="true"> 

     <!-- SingleSignOn valve, share authentication between web applications 
      Documentation at: /docs/config/valve.html --> 
     <!-- 
     <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> 
     --> 

我上搜索网，但无法找到解决方案。是否有任何关于蛮力攻击的问题，以及是否有解决这个问题的方案。

错误日志中Catelina.out是：

Mar 02, 2013 3:28:34 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "tomcat" 
Mar 02, 2013 3:29:49 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "tomcat" 
Mar 02, 2013 3:31:04 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "tomcat" 
Mar 02, 2013 3:37:25 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "admin" 
Mar 02, 2013 3:38:47 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "admin" 
Mar 02, 2013 3:39:58 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "admin" 
Mar 02, 2013 3:46:31 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "coyote" 
Mar 02, 2013 3:52:49 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "manager" 
Mar 02, 2013 3:59:03 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "administrator" 
Mar 02, 2013 4:06:38 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "root" 
Mar 02, 2013 4:07:52 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "root" 
Mar 02, 2013 4:09:17 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "root" 
Mar 02, 2013 4:10:35 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "root" 
Mar 02, 2013 4:11:47 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "root" 
Mar 02, 2013 4:13:02 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "root" 
Mar 02, 2013 4:14:17 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "root" 
Mar 02, 2013 4:15:34 PM org.apache.catalina.realm.LockOutRealm authenticate 
WARNING: An attempt was made to authenticate the locked user "root" 

> Hibernate: select 

---------------------------------- 
javax.persistence.PersistenceException: 
org.hibernate.exception.JDBCConnectionException: could not execute query 

(DelegatingConstructorAccessorImpl.java:45) 
    at java.lang.reflect.Constructor.newInstance(Constructor.java:525) 
    at com.mysql.jdbc.Util.handleNewInstance(Util.java:409) 
    at com.mysql.jdbc.SQLError.createCommunicationsException(SQLError.java:1118) 
    at com.mysql.jdbc.MysqlIO.send(MysqlIO.java:3321) 
    at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1940) 
    at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2113) 
    at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2568) 
    at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2113) 
    at com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:2275) 
    at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeQuery(NewProxyPreparedStatement.java:116) 
    at org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:186) 
    at org.hibernate.loader.Loader.getResultSet(Loader.java:1787) 
    at org.hibernate.loader.Loader.doQuery(Loader.java:674) 
    at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236) 
    at org.hibernate.loader.Loader.doList(Loader.java:2220) 
    ... 39 more 
Caused by: java.net.SocketException: Broken pipe 

Answer 1

上面的警告意味着你无法给用户tomcat的多次验证。 Tomcat怀疑这是对用户tomcat的蛮力攻击。

你在你的应用程序中使用了什么认证？在应用程序的web.xml中使用什么登录配置？

resourceName“UserDatabase”的默认配置是文件conf/tomcat-users.xml。 您是否更改了resourceName“UserDatabase”的配置？

你可以找到的server.xml文件资源UserDatabase的配置：

<Resource name="UserDatabase" auth="Container" 
       type="org.apache.catalina.UserDatabase" 
       description="User database that can be updated and saved" 
       factory="org.apache.catalina.users.MemoryUserDatabaseFactory" 
       pathname="conf/tomcat-users.xml" /> 

默认情况下，所有用户评论。 为了能够与XML文件中的用户一起工作，您应该取消注释。然后，您将能够与用户的tomcat登录：

<tomcat-users> 
    <role rolename="tomcat"/> 
    <user username="tomcat" password="tomcat" roles="tomcat"/> 
</tomcat-users> 

最好的问候，

迈克尔

Answer 2

_{（对16K游人到此页：}

由于这是上所以我会假设读者是开发者。）

这个错误在指示您有脚本/用户尝试使用不正确的用户/密码登录。解决这个问题很简单，只需将正确的用户/密码对添加到文件ApacheTomcat\conf\tomcat-users.xml和重新启动服务器。

另外请确保您已正确设置角色。例如。在server.xml中 没有变化由我：如果你发送基本的HTTP认证请求localhost:8080/manager，您将需要manager-gui作用：

<?xml version='1.0' encoding='utf-8'?> 
<tomcat-users> 
    <role rolename="manager-gui"/> 
    <user username="foobar" password="foobar" roles="tomcat,role1, manager-gui "/> 
</tomcat-users>