How to fix Tomcat WARNING: An attempt was made to authenticate the locked user?
Asked Answered
E

2

27

I am using Tomcat 7 with for Spring and JPA Application, database MySQL. Everything is working fine.but sometime realm.LockOutRealm authenticate problem will arise. I also used connection pooling in my application like:

persistence.xml:

<properties>
      <property name="hibernate.connection.username" value="---"/>
      <property name="hibernate.connection.driver_class" value="com.mysql.jdbc.Driver"/>
      <property name="hibernate.connection.password" value="----------"/>
      <property name="hibernate.connection.url" value="jdbc:mysql://----------?autoReconnect=true"/>
      <!--Connection Pooling c3p0 configuration-->
      <!--Minimum number of JDBC connections in the pool. Hibernate default: 1-->
      <property name="hibernate.c3p0.min_size" value="5"/>
      <!--Maximum number of JDBC connections in the pool. Hibernate default: 100-->
      <property name="hibernate.c3p0.max_size" value="20"/>
      <!--When an idle connection is removed from the pool (in second). Hibernate default: 0, never expire.-->
      <property name="hibernate.c3p0.timeout" value="300"/>
      <!--Number of prepared statements will be cached. Increase performance. Hibernate default: 0 , caching is disable.-->
      <property name="hibernate.c3p0.max_statements" value="50"/>
      <!--idle time in seconds before a connection is automatically validated. Hibernate default: 0-->
      <property name="hibernate.c3p0.idle_test_period" value="300"/>
</properties>

and realm in server.xml looks like :

<!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->

I search on net but couldnot find solution about this. is there any one on brute force attack and if there is than what is the solution of this.

Error log in Catelina.out in is:

Mar 02, 2013 3:28:34 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "tomcat"
Mar 02, 2013 3:29:49 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "tomcat"
Mar 02, 2013 3:31:04 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "tomcat"
Mar 02, 2013 3:37:25 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "admin"
Mar 02, 2013 3:38:47 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "admin"
Mar 02, 2013 3:39:58 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "admin"
Mar 02, 2013 3:46:31 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "coyote"
Mar 02, 2013 3:52:49 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "manager"
Mar 02, 2013 3:59:03 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "administrator"
Mar 02, 2013 4:06:38 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "root"
Mar 02, 2013 4:07:52 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "root"
Mar 02, 2013 4:09:17 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "root"
Mar 02, 2013 4:10:35 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "root"
Mar 02, 2013 4:11:47 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "root"
Mar 02, 2013 4:13:02 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "root"
Mar 02, 2013 4:14:17 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "root"
Mar 02, 2013 4:15:34 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "root"

> Hibernate: select

---------------------------------- 
javax.persistence.PersistenceException: 
org.hibernate.exception.JDBCConnectionException: could not execute query

(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
    at com.mysql.jdbc.Util.handleNewInstance(Util.java:409)
    at com.mysql.jdbc.SQLError.createCommunicationsException(SQLError.java:1118)
    at com.mysql.jdbc.MysqlIO.send(MysqlIO.java:3321)
    at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1940)
    at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2113)
    at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2568)
    at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2113)
    at com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:2275)
    at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeQuery(NewProxyPreparedStatement.java:116)
    at org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:186)
    at org.hibernate.loader.Loader.getResultSet(Loader.java:1787)
    at org.hibernate.loader.Loader.doQuery(Loader.java:674)
    at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236)
    at org.hibernate.loader.Loader.doList(Loader.java:2220)
    ... 39 more
Caused by: java.net.SocketException: Broken pipe
Expatriate answered 11/3, 2013 at 11:20 Comment(0)
F
21

The warning above means that you fail to authenticate the user tomcat more than once. Tomcat suspects that it is brute force attack on the user tomcat.

What authentication you use in your application? What login-config you use in web.xml of the application?

The default configuration of resourceName "UserDatabase" is the file conf/tomcat-users.xml. Did you change the configuration of resourceName "UserDatabase"?

You can find the configuration of the resource UserDatabase in the file server.xml:

<Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />

By default all users are commented. To be able to work with users from the XML file you should uncomment. Then, you will be able to login with user tomcat:

<tomcat-users>
  <role rolename="tomcat"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
</tomcat-users>

Best regards,

Michael

Folkestone answered 11/3, 2013 at 12:19 Comment(7)
Thanks Michael. @Michael: No Change at by me in server.xml. Its same as sample code paste by you. While in tomcat-users.xml is also same as default copy. here all <tomcat-users> are commented. Do i need to uncomment user for deploy my application or run..?? I am asking because i have one another project with different machine with tomcat 7 and this is working fine with same configuration. In what case i am trying or to login user tomcat.? Actully i am not getting the actual case where the problem arises because its random sometimes this problem arises or sometime not Plz suggest meExpatriate
@om sharma I still need your clarification if you use Tomcat authentication. What login-config you use in web.xml of the application? The example for the Basic Authentication: <login-config> <auth-method>BASIC</auth-method> </login-config> If you use the Tomcat authentication you need to uncomment the file or define the Tomcat realm. If my answer feet your expectation you can accept it and promote it.Folkestone
appreciated <pre> In web.xml no such entry related to login-confi. its default no changes by me mannually. I am using netbeans for deploying application on tomcat 7. is something wrong.. or do you need some more explanation form my side.???? </pre>Expatriate
@om sharma, I checked Tomcat 7 sources and I can confirm than Tomcat call to the method authenticate of all configured realms only if you use Tomcat authentication or Tomcat SSO. If you state that you do not use the Tomcat authentication you do not need to uncomment tomcat-users.xml. Also, in this case warnings should not appear. If they appear only within NetBeans deployments (and not in the production) may be you can ignore them and to clarify the issue with NetBean forum. Hope it helps.Folkestone
@Michael: I've two versions of tomcat on my system installed. One of which I'd installed and another one was installed by the netbeans at the installation time. Few days ago I was able to run JSP projects well. But now its asking me for authentication and not getting authenticated. The error is same that was of @OmSharmaBodywork
Please go over the answer and the comments and check if for 2 deployments. It should solve the issueFolkestone
@Folkestone if this process continues to happen does that leads to reqular shut down of tomcat service??Tramontane
F
3

(To the 16k visitors to this page:

Since this is on SO, I'll assume readers are developers.)

This error indicates that you have a script / user trying to login with an incorrect user/pass. Fixing this is simple, simply add the correct user/pass pair to the file ApacheTomcat\conf\tomcat-users.xml and restart the server.

Also ensure that you have the role properly set. E.g. if you're sending basic HTTP auth requests to localhost:8080/manager, you'll need the manager-gui role:

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="manager-gui"/>
  <user username="foobar" password="foobar" roles="tomcat,role1, manager-gui "/>
</tomcat-users>
Fraud answered 21/9, 2015 at 8:31 Comment(3)
What if the problem was the user not remembering the password? Is there a way to unlock the account without restarting tomcat?Kohl
The account unlocks automatically after 300 seconds (default).Respecting
I'm getting this error because my backend is using Basic Authentication. i.e. Tomcat should not authenticate. No way to disable these errors?Goren

© 2022 - 2024 — McMap. All rights reserved.