Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0038651Openbravo ERPA. Platformpublic2018-05-29 16:142018-06-04 09:48
Reporteralostale 
Assigned Toalostale 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionFixed in Version3.0PR18Q3 
Merge Request Status
Review Assigned Tocaristu
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0038651: problems in user locking implementation
DescriptionDelayed login after failed attempt and locking user functionalities have some minor issues:

1. When defining an incremental delay for login, it is only possible to set ranges of integer seconds. Increment by 1 second on each failed attempt is too much: it should be possible to define this increment to something smaller than complete seconds.
2. After a failed login attempt, login response is delayed. While in this delay, a database connection is kept open. It would be better to return it to the pool and get another one afterwards.
3. When trying to log in with a non existing user, delay is also correctly applied. The query count number of failed attempts is checking from the beginning of the time (incorrect HQL clause s.creationDate > s.creationDate-1 [1]. It should check if there was any attempt during the last one day at most.
4. After a user is locked, subsequent login attempts mark it as locked again

---
[1] https://code.openbravo.com/erp/devel/pi/file/3.0PR18Q2/src/org/openbravo/base/secureApp/UserLock.java#l119 [^]
Steps To Reproduce1.1 Configure login.trial.delay.increment to something smaller than a second ie (0.5 secs).
1.2 Start tomcat and try to login
  -> An exception is logged and no delay is applied

2.1 Configure to several seconds delay
2.2 Fail login
   -> check an idle in transaction connection is kept open while delaying response

3.1 create 60 entries in ad_session for an invalid user (ie. uername='xx') with creation date 1 month ago
3.2 configure to increment delay 1 second up to 60 seconds
3.3 try to login with user xx
   -> request is delayed 60 seconds

4.1 configure to lock user after 2 failed login attempts
4.2 try to login with a valid user and an incorrect password 2 times
  -> WARN message is displayed in openbravo.log -> OK
4.3 do the same again
  -> the same message appears in log -> Incorrect, once the user is locked it should not be locked again until unlocked.
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
related to defect 00254663.0PR14Q2 closed alostale Performace problem during the login 
related to defect 0038655 closed alostale incorrect query in UserLock 
blocks feature request 0038652 closed alostale security default: delay response after failed login attempt 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2018-05-29 16:14alostaleNew Issue
2018-05-29 16:14alostaleAssigned To => alostale
2018-05-29 16:14alostaleModules => Core
2018-05-29 16:14alostaleTriggers an Emergency Pack => No
2018-05-29 16:18alostaleRelationship addedrelated to 0025466
2018-05-29 16:18alostaleReview Assigned To => caristu
2018-05-29 16:19hgbotCheckin
2018-05-29 16:19hgbotNote Added: 0104776
2018-05-29 16:19hgbotStatusnew => resolved
2018-05-29 16:19hgbotResolutionopen => fixed
2018-05-29 16:19hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/e32f0aa03825361dbae92f10c849f9772751209a [^]
2018-05-29 16:31alostaleRelationship addedblocks 0038652
2018-05-30 10:27alostaleRelationship addedrelated to 0038655
2018-06-04 09:48caristuNote Added: 0104903
2018-06-04 09:48caristuStatusresolved => closed
2018-06-04 09:48caristuFixed in Version => 3.0PR18Q3

Notes
(0104776)
hgbot   
2018-05-29 16:19   
Repository: erp/devel/pi
Changeset: e32f0aa03825361dbae92f10c849f9772751209a
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Tue May 29 16:18:01 2018 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/e32f0aa03825361dbae92f10c849f9772751209a [^]

fixes 38651: problems in user locking implementation

  Fixes some problems in user locking:

    1. When defining an incremental delay for login, it is only possible to set
       ranges of integer seconds. Increment by 1 second on each failed attempt
       is too much: it should be possible to define this increment to something
       smaller than complete seconds.
    2. After a failed login attempt, login response is delayed. While in this
       delay, a database connection is kept open. It would be better to return
       it to the pool and get another one afterwards.
    3. When trying to log in with a non existing user, delay is also correctly
       applied. The query count number of failed attempts is checking from the
       beginning of the time. It should check if there was any attempt during the
       last one day at most.
    4. After a user is locked, subsequent login attempts mark it as locked again.

---
M src/org/openbravo/base/secureApp/LoginUtils.java
M src/org/openbravo/base/secureApp/UserLock.java
---
(0104903)
caristu   
2018-06-04 09:48   
Code reviewed + tested OK.