Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0046189Openbravo ERPA. Platformpublic2021-03-31 08:462021-03-31 16:01
Reporteralostale 
Assigned Toalostale 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionFixed in VersionPR21Q2 
Merge Request Status
Review Assigned To
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0046189: WS calls UserLock for every request even within the same session
DescriptionUserLock feature is checked for all webservice calls even they are done within the context of a valid session.

This mechanism only makes sense while authenticating, but not once the session is created and it's valid.
Steps To Reproduce0. Enable debugging log level for org.openbravo.base.secureApp.UserLock
1. Perform a WS request
  -> OK: checking logs UserLock is invoked
2. Keeping the same session in the client, perform another WS request
  -> ERROR: checking logs UserLock is invoked

Here you can find a client to test it:
https://gitlab.com/alo-issues/openbravo/-/snippets/2098452 [^]
Proposed Solution
Additional Information
TagsNOR, Performance
Relationships
related to defect 0044414 new Triage Platform Base UserLock feature (delay login on wrong login) has bad performance by default 
related to defect 0055823 new Triage Platform Base User locking check should not be done in WS requests for WS-only users 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2021-03-31 08:46alostaleNew Issue
2021-03-31 08:46alostaleAssigned To => platform
2021-03-31 08:46alostaleModules => Core
2021-03-31 08:46alostaleTriggers an Emergency Pack => No
2021-03-31 08:52alostaleSteps to Reproduce Updatedbug_revision_view_page.php?rev_id=22284#r22284
2021-03-31 08:52alostaleRelationship addedrelated to 0044414
2021-03-31 09:05hgbotNote Added: 0127064
2021-03-31 12:35rafarodaTag Attached: NOR
2021-03-31 12:42alostaleAssigned Toplatform => alostale
2021-03-31 12:43alostaleTag Attached: Performance
2021-03-31 16:01hgbotResolutionopen => fixed
2021-03-31 16:01hgbotStatusnew => closed
2021-03-31 16:01hgbotNote Added: 0127074
2021-03-31 16:01hgbotFixed in Version => PR21Q2
2021-03-31 16:01hgbotNote Added: 0127075
2024-06-24 11:49caristuRelationship addedrelated to 0055823

Notes
(0127064)
hgbot   
2021-03-31 09:05   
Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/341 [^]
(0127074)
hgbot   
2021-03-31 16:01   
Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/341 [^]
(0127075)
hgbot   
2021-03-31 16:01   
Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: 80a46c11f8488ef0cd1462dc211af35ca3737317
Author: Asier Lostalé <asier.lostale@openbravo.com>
Date: 2021-03-31T08:57:28+02:00
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/80a46c11f8488ef0cd1462dc211af35ca3737317 [^]

fixed BUG-46189: WS calls UserLock in every request even within the same session

Whenever a webservice request was received, even if a session was
created for it already, doWebServiceAuthenticate method was invoked.
This method is in charge of validating the user is valid, but if the
session is already valid it is not necessary to invoke it. Furthermore,
in the DefaultAuthenticationManager, it cheks user lock to prevent brute
force attacks, this is also worthless having an active session.

Now we check whether there's a valid session (httpSession + OBContext
set with a user ID), in this case doWebServiceAuthenticate is bypassed.

---
M src/org/openbravo/authentication/AuthenticationManager.java
---