Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0003434Openbravo ERPC. Securitypublic2007-12-19 11:372010-04-19 21:10
Reporteruser71 
Assigned Toalostale 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionFixed in Version2.50MP15 
Merge Request Status
Review Assigned To
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0003434: Block user entry after X triouts of the password
DescriptionBlocking and user access temporarily after (for example) 3 wrong tries of entering his password would be useful in order to block possible bots trying multiple accesses.
Steps To Reproduce
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
related to defect 0012825 closed alostale api check build 327 fails - part3 
blocks feature request 0000500pi acknowledged iciordia User pasword management 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2008-07-01 18:31pjuvaraRelationship addedblocks 0000500
2008-07-01 18:31pjuvaraStatusnew => acknowledged
2008-11-16 07:44pjuvaraAssigned Touser71 => pjuvara
2009-05-22 19:36pjuvaraAssigned Topjuvara => iciordia
2010-02-23 10:46alostaleNote Added: 0024729
2010-02-23 10:47alostaleAssigned Toiciordia => alostale
2010-02-23 10:47alostaleStatusacknowledged => scheduled
2010-02-23 10:47alostalefix_in_branch => pi
2010-02-23 12:55alostaleNote Edited: 0024729bug_revision_view_page.php?bugnote_id=0024729#r59
2010-03-22 09:07hgbotCheckin
2010-03-22 09:07hgbotNote Added: 0025633
2010-03-22 09:07hgbotStatusscheduled => resolved
2010-03-22 09:07hgbotResolutionopen => fixed
2010-03-22 09:07hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/3773586439b9dd3b266256b5e8e69f982a75024b [^]
2010-03-22 09:07hgbotCheckin
2010-03-22 09:07hgbotNote Added: 0025634
2010-03-26 15:12shuehnerRelationship addedrelated to 0012825
2010-03-29 15:28shuehnerNote Added: 0025780
2010-03-29 15:28shuehnerStatusresolved => closed
2010-03-29 15:28shuehnerFixed in Version => 2.50MP15
2010-04-19 21:10hudsonbotCheckin
2010-04-19 21:10hudsonbotNote Added: 0026360
2010-04-19 21:10hudsonbotCheckin
2010-04-19 21:10hudsonbotNote Added: 0026361

Notes
(0007023)
user71   
2005-06-01 00:00   
(edited on: 2008-06-12 09:44)
This bug was originally reported in SourceForge bug tracker and then migrated to Mantis.

You can see the original bug report in:
https://sourceforge.net/support/tracker.php?aid=1853846 [^]
(0024729)
alostale   
2010-02-23 10:46   
(edited on: 2010-02-23 12:55)
The specs for this feature are:

*Time delay after login failed
When there's a fail trying to log in the application, next time the user tries to log in there will be a delay when doing the user/password check. This makes bots trying to find passwords very inneficient. This delay is configurable in Openbravo.properties through 2 new properties:
  -login.trial.delay.increment: Indicates the number of seconds the delay increments for each fail. If it is 0 or empty no delay is applied.
  -login.trial.delay.max: Maximum delay time. Once this time is reached, next trial will not increase the delay. If this value is 0 or empty delay will be increased without limit.

*Block users
After a number of log in trials, the user will be marked as blocked, in future login attempts, this user will not be able to log in till the system administrator unblocks him. This is configured with a new property:
  -login.trials.user.block: The number of trials that blocks the user. If it is 0 or empty, users will not be blocked. Setting this as 0 is the way of disabling this feature, in this way is possible to use a blocked administrator.

Information about the failed trails will be tracked in AD_Session, making possible to query which usernames failed when doing log in, how many times and from which IPs.
(0025633)
hgbot   
2010-03-22 09:07   
Repository: erp/devel/pi
Changeset: 3773586439b9dd3b266256b5e8e69f982a75024b
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Mon Mar 22 08:37:02 2010 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/3773586439b9dd3b266256b5e8e69f982a75024b [^]

fixed issue 3434

Added locking mecanism to user account in case of n failed login trails.

---
M config/Openbravo.properties.template
M referencedata/sampledata/Accounting_Test.xml
M referencedata/sampledata/SmallBazaar.xml
M src-core/src/org/openbravo/xmlEngine/XmlEngine.java
M src-db/database/model/tables/AD_SESSION.xml
M src-db/database/model/tables/AD_USER.xml
M src-db/database/sourcedata/AD_COLUMN.xml
M src-db/database/sourcedata/AD_ELEMENT.xml
M src-db/database/sourcedata/AD_FIELD.xml
M src-db/database/sourcedata/AD_MESSAGE.xml
M src-db/database/sourcedata/AD_REFERENCE.xml
M src-db/database/sourcedata/AD_REF_LIST.xml
M src-db/database/sourcedata/AD_TABLE.xml
M src-db/database/sourcedata/referencedData/AD_USER.xml
M src/org/openbravo/base/secureApp/HttpSecureAppServlet.java
M src/org/openbravo/base/secureApp/LoginHandler.java
M src/org/openbravo/base/secureApp/LoginUtils.java
M src/org/openbravo/base/secureApp/VariablesHistory.java
M src/org/openbravo/erpCommon/obps/ActivationKey.java
M src/org/openbravo/erpCommon/security/SessionLogin.java
M src/org/openbravo/erpCommon/security/SessionLogin_data.xsql
M src/org/openbravo/erpCommon/ws/externalSales/ExternalSalesImpl.java
M src/org/openbravo/erpCommon/ws/externalSales/ExternalSalesOrder_data.xsql
M src/org/openbravo/erpCommon/ws/services/WebServiceImpl.java
M src/org/openbravo/erpCommon/ws/services/WebServices_data.xsql
M src/org/openbravo/service/web/BaseWebServiceServlet.java
A src/org/openbravo/base/secureApp/UserLock.java
---
(0025634)
hgbot   
2010-03-22 09:07   
Repository: erp/devel/pi
Changeset: 8058a973c73f7319cde6f5f4cf975d48abf7525b
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Mon Mar 22 09:10:49 2010 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/8058a973c73f7319cde6f5f4cf975d48abf7525b [^]

related to issue 3434: Reorder DB elements after merge

---
M src-db/database/sourcedata/AD_COLUMN.xml
M src-db/database/sourcedata/AD_ELEMENT.xml
M src-db/database/sourcedata/AD_FIELD.xml
M src-db/database/sourcedata/AD_REFERENCE.xml
---
(0025780)
shuehner   
2010-03-29 15:28   
Whole project was tested by me (shuehner) in the pi-user branch, before reintegration into pi.

Topics tested:
- planned changes (locking users, delay)
- all login/session related topics (login,normal timeout, kill user session (forced logout))
- the two extra Authentication managers shipped in core (Autologin,CasLam):
  Note: the Feature is only implemented in the StandardAuthenticationManagers, all other implementation where only tested to behave like they did before
(0026360)
hudsonbot   
2010-04-19 21:10   
A changeset related to this issue has been promoted to main after passing a series of tests and an OBX has been generated:

Changeset: http://code.openbravo.com/erp/devel/main/rev/3773586439b9 [^]
Merge Changeset: http://code.openbravo.com/erp/devel/main/rev/91d98bda46c1 [^]
Tests: http://builds.openbravo.com/view/devel-int/ [^]
OBX: http://builds.openbravo.com/erp/core/obx/OpenbravoERP-2.50CI.17088.obx [^]
(0026361)
hudsonbot   
2010-04-19 21:10   
A changeset related to this issue has been promoted to main after passing a series of tests and an OBX has been generated:

Changeset: http://code.openbravo.com/erp/devel/main/rev/8058a973c73f [^]
Merge Changeset: http://code.openbravo.com/erp/devel/main/rev/91d98bda46c1 [^]
Tests: http://builds.openbravo.com/view/devel-int/ [^]
OBX: http://builds.openbravo.com/erp/core/obx/OpenbravoERP-2.50CI.17088.obx [^]