Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0003434
TypeCategorySeverityReproducibilityDate SubmittedLast Update
feature request[Openbravo ERP] C. Securityminoralways2007-12-19 11:372010-04-19 21:10
Reporteruser71View Statuspublic 
Assigned Toalostale 
PrioritynormalResolutionfixedFixed in Version2.50MP15
StatusclosedFix in branchpiFixed in SCM revision3773586439b9
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0003434: Block user entry after X triouts of the password

DescriptionBlocking and user access temporarily after (for example) 3 wrong tries of entering his password would be useful in order to block possible bots trying multiple accesses.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to defect 0012825 closedalostale api check build 327 fails - part3 
blocks feature request 0000500pi acknowledgediciordia User pasword management 

-  Notes
(0007023)
user71
2005-06-01 00:00
edited on: 2008-06-12 09:44

 This bug was originally reported in SourceForge bug tracker and then migrated to Mantis.

You can see the original bug report in:
https://sourceforge.net/support/tracker.php?aid=1853846 [^]
(0024729)
alostale (manager)
2010-02-23 10:46
edited on: 2010-02-23 12:55

 The specs for this feature are:

*Time delay after login failed
When there's a fail trying to log in the application, next time the user tries to log in there will be a delay when doing the user/password check. This makes bots trying to find passwords very inneficient. This delay is configurable in Openbravo.properties through 2 new properties:
  -login.trial.delay.increment: Indicates the number of seconds the delay increments for each fail. If it is 0 or empty no delay is applied.
  -login.trial.delay.max: Maximum delay time. Once this time is reached, next trial will not increase the delay. If this value is 0 or empty delay will be increased without limit.

*Block users
After a number of log in trials, the user will be marked as blocked, in future login attempts, this user will not be able to log in till the system administrator unblocks him. This is configured with a new property:
  -login.trials.user.block: The number of trials that blocks the user. If it is 0 or empty, users will not be blocked. Setting this as 0 is the way of disabling this feature, in this way is possible to use a blocked administrator.

Information about the failed trails will be tracked in AD_Session, making possible to query which usernames failed when doing log in, how many times and from which IPs.
(0025633)
hgbot (developer)
2010-03-22 09:07

 Repository: erp/devel/pi
Changeset: 3773586439b9dd3b266256b5e8e69f982a75024b
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Mon Mar 22 08:37:02 2010 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/3773586439b9dd3b266256b5e8e69f982a75024b [^]

fixed issue 3434

Added locking mecanism to user account in case of n failed login trails.

---
M config/Openbravo.properties.template
M referencedata/sampledata/Accounting_Test.xml
M referencedata/sampledata/SmallBazaar.xml
M src-core/src/org/openbravo/xmlEngine/XmlEngine.java
M src-db/database/model/tables/AD_SESSION.xml
M src-db/database/model/tables/AD_USER.xml
M src-db/database/sourcedata/AD_COLUMN.xml
M src-db/database/sourcedata/AD_ELEMENT.xml
M src-db/database/sourcedata/AD_FIELD.xml
M src-db/database/sourcedata/AD_MESSAGE.xml
M src-db/database/sourcedata/AD_REFERENCE.xml
M src-db/database/sourcedata/AD_REF_LIST.xml
M src-db/database/sourcedata/AD_TABLE.xml
M src-db/database/sourcedata/referencedData/AD_USER.xml
M src/org/openbravo/base/secureApp/HttpSecureAppServlet.java
M src/org/openbravo/base/secureApp/LoginHandler.java
M src/org/openbravo/base/secureApp/LoginUtils.java
M src/org/openbravo/base/secureApp/VariablesHistory.java
M src/org/openbravo/erpCommon/obps/ActivationKey.java
M src/org/openbravo/erpCommon/security/SessionLogin.java
M src/org/openbravo/erpCommon/security/SessionLogin_data.xsql
M src/org/openbravo/erpCommon/ws/externalSales/ExternalSalesImpl.java
M src/org/openbravo/erpCommon/ws/externalSales/ExternalSalesOrder_data.xsql
M src/org/openbravo/erpCommon/ws/services/WebServiceImpl.java
M src/org/openbravo/erpCommon/ws/services/WebServices_data.xsql
M src/org/openbravo/service/web/BaseWebServiceServlet.java
A src/org/openbravo/base/secureApp/UserLock.java
---
(0025634)
hgbot (developer)
2010-03-22 09:07

 Repository: erp/devel/pi
Changeset: 8058a973c73f7319cde6f5f4cf975d48abf7525b
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Mon Mar 22 09:10:49 2010 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/8058a973c73f7319cde6f5f4cf975d48abf7525b [^]

related to issue 3434: Reorder DB elements after merge

---
M src-db/database/sourcedata/AD_COLUMN.xml
M src-db/database/sourcedata/AD_ELEMENT.xml
M src-db/database/sourcedata/AD_FIELD.xml
M src-db/database/sourcedata/AD_REFERENCE.xml
---
(0025780)
shuehner (administrator)
2010-03-29 15:28

 Whole project was tested by me (shuehner) in the pi-user branch, before reintegration into pi.

Topics tested:
- planned changes (locking users, delay)
- all login/session related topics (login,normal timeout, kill user session (forced logout))
- the two extra Authentication managers shipped in core (Autologin,CasLam):
  Note: the Feature is only implemented in the StandardAuthenticationManagers, all other implementation where only tested to behave like they did before
(0026360)
hudsonbot (developer)
2010-04-19 21:10

 A changeset related to this issue has been promoted to main after passing a series of tests and an OBX has been generated:

Changeset: http://code.openbravo.com/erp/devel/main/rev/3773586439b9 [^]
Merge Changeset: http://code.openbravo.com/erp/devel/main/rev/91d98bda46c1 [^]
Tests: http://builds.openbravo.com/view/devel-int/ [^]
OBX: http://builds.openbravo.com/erp/core/obx/OpenbravoERP-2.50CI.17088.obx [^]
(0026361)
hudsonbot (developer)
2010-04-19 21:10

 A changeset related to this issue has been promoted to main after passing a series of tests and an OBX has been generated:

Changeset: http://code.openbravo.com/erp/devel/main/rev/8058a973c73f [^]
Merge Changeset: http://code.openbravo.com/erp/devel/main/rev/91d98bda46c1 [^]
Tests: http://builds.openbravo.com/view/devel-int/ [^]
OBX: http://builds.openbravo.com/erp/core/obx/OpenbravoERP-2.50CI.17088.obx [^]

- Issue History
Date Modified Username Field Change
2008-07-01 18:31 pjuvara Relationship added blocks 0000500
2008-07-01 18:31 pjuvara Status new => acknowledged
2008-11-16 07:44 pjuvara Assigned To user71 => pjuvara
2009-05-22 19:36 pjuvara Assigned To pjuvara => iciordia
2010-02-23 10:46 alostale Note Added: 0024729
2010-02-23 10:47 alostale Assigned To iciordia => alostale
2010-02-23 10:47 alostale Status acknowledged => scheduled
2010-02-23 10:47 alostale fix_in_branch => pi
2010-02-23 12:55 alostale Note Edited: 0024729 View Revisions
2010-03-22 09:07 hgbot Checkin
2010-03-22 09:07 hgbot Note Added: 0025633
2010-03-22 09:07 hgbot Status scheduled => resolved
2010-03-22 09:07 hgbot Resolution open => fixed
2010-03-22 09:07 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/3773586439b9dd3b266256b5e8e69f982a75024b [^]
2010-03-22 09:07 hgbot Checkin
2010-03-22 09:07 hgbot Note Added: 0025634
2010-03-26 15:12 shuehner Relationship added related to 0012825
2010-03-29 15:28 shuehner Note Added: 0025780
2010-03-29 15:28 shuehner Status resolved => closed
2010-03-29 15:28 shuehner Fixed in Version => 2.50MP15
2010-04-19 21:10 hudsonbot Checkin
2010-04-19 21:10 hudsonbot Note Added: 0026360
2010-04-19 21:10 hudsonbot Checkin
2010-04-19 21:10 hudsonbot Note Added: 0026361

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker