Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0046189
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] A. Platformmajorhave not tried2021-03-31 08:462021-03-31 16:01
ReporteralostaleView Statuspublic 
Assigned Toalostale 
PrioritynormalResolutionfixedFixed in VersionPR21Q2
StatusclosedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0046189: WS calls UserLock for every request even within the same session

DescriptionUserLock feature is checked for all webservice calls even they are done within the context of a valid session.

This mechanism only makes sense while authenticating, but not once the session is created and it's valid.
Steps To Reproduce0. Enable debugging log level for org.openbravo.base.secureApp.UserLock
1. Perform a WS request
  -> OK: checking logs UserLock is invoked
2. Keeping the same session in the client, perform another WS request
  -> ERROR: checking logs UserLock is invoked

Here you can find a client to test it:
https://gitlab.com/alo-issues/openbravo/-/snippets/2098452 [^]
TagsNOR, Performance
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to defect 0044414 newTriage Platform Base UserLock feature (delay login on wrong login) has bad performance by default 
related to defect 0055823 newTriage Platform Base User locking check should not be done in WS requests for WS-only users 

-  Notes
(0127064)
hgbot (developer)
2021-03-31 09:05

 Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/341 [^]
(0127074)
hgbot (developer)
2021-03-31 16:01

 Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/341 [^]
(0127075)
hgbot (developer)
2021-03-31 16:01

 Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: 80a46c11f8488ef0cd1462dc211af35ca3737317
Author: Asier Lostalé <asier.lostale@openbravo.com>
Date: 2021-03-31T08:57:28+02:00
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/80a46c11f8488ef0cd1462dc211af35ca3737317 [^]

fixed BUG-46189: WS calls UserLock in every request even within the same session

Whenever a webservice request was received, even if a session was
created for it already, doWebServiceAuthenticate method was invoked.
This method is in charge of validating the user is valid, but if the
session is already valid it is not necessary to invoke it. Furthermore,
in the DefaultAuthenticationManager, it cheks user lock to prevent brute
force attacks, this is also worthless having an active session.

Now we check whether there's a valid session (httpSession + OBContext
set with a user ID), in this case doWebServiceAuthenticate is bypassed.

---
M src/org/openbravo/authentication/AuthenticationManager.java
---

- Issue History
Date Modified Username Field Change
2021-03-31 08:46 alostale New Issue
2021-03-31 08:46 alostale Assigned To => platform
2021-03-31 08:46 alostale Modules => Core
2021-03-31 08:46 alostale Triggers an Emergency Pack => No
2021-03-31 08:52 alostale Steps to Reproduce Updated View Revisions
2021-03-31 08:52 alostale Relationship added related to 0044414
2021-03-31 09:05 hgbot Note Added: 0127064
2021-03-31 12:35 rafaroda Tag Attached: NOR
2021-03-31 12:42 alostale Assigned To platform => alostale
2021-03-31 12:43 alostale Tag Attached: Performance
2021-03-31 16:01 hgbot Resolution open => fixed
2021-03-31 16:01 hgbot Status new => closed
2021-03-31 16:01 hgbot Note Added: 0127074
2021-03-31 16:01 hgbot Fixed in Version => PR21Q2
2021-03-31 16:01 hgbot Note Added: 0127075
2024-06-24 11:49 caristu Relationship added related to 0055823

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker