Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0038651 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Openbravo ERP] A. Platform | minor | have not tried | 2018-05-29 16:14 | 2018-06-04 09:48 | |||
| Reporter | alostale | View Status | public | |||||
| Assigned To | alostale | |||||||
| Priority | normal | Resolution | fixed | Fixed in Version | 3.0PR18Q3 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | e32f0aa03825 | ||||
| Projection | none | ETA | none | Target Version | ||||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Review Assigned To | caristu | |||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0038651: problems in user locking implementation | |||||||
| Description | Delayed login after failed attempt and locking user functionalities have some minor issues: 1. When defining an incremental delay for login, it is only possible to set ranges of integer seconds. Increment by 1 second on each failed attempt is too much: it should be possible to define this increment to something smaller than complete seconds. 2. After a failed login attempt, login response is delayed. While in this delay, a database connection is kept open. It would be better to return it to the pool and get another one afterwards. 3. When trying to log in with a non existing user, delay is also correctly applied. The query count number of failed attempts is checking from the beginning of the time (incorrect HQL clause s.creationDate > s.creationDate-1 [1]. It should check if there was any attempt during the last one day at most. 4. After a user is locked, subsequent login attempts mark it as locked again --- [1] https://code.openbravo.com/erp/devel/pi/file/3.0PR18Q2/src/org/openbravo/base/secureApp/UserLock.java#l119 [^] | |||||||
| Steps To Reproduce | 1.1 Configure login.trial.delay.increment to something smaller than a second ie (0.5 secs). 1.2 Start tomcat and try to login -> An exception is logged and no delay is applied 2.1 Configure to several seconds delay 2.2 Fail login -> check an idle in transaction connection is kept open while delaying response 3.1 create 60 entries in ad_session for an invalid user (ie. uername='xx') with creation date 1 month ago 3.2 configure to increment delay 1 second up to 60 seconds 3.3 try to login with user xx -> request is delayed 60 seconds 4.1 configure to lock user after 2 failed login attempts 4.2 try to login with a valid user and an incorrect password 2 times -> WARN message is displayed in openbravo.log -> OK 4.3 do the same again -> the same message appears in log -> Incorrect, once the user is locked it should not be locked again until unlocked. | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
||||||||||||||||||||||
|
||||||||||||||||||||||
 Relationships |
|
Notes |
|
|
(0104776) hgbot (developer) 2018-05-29 16:19 |
Repository: erp/devel/pi Changeset: e32f0aa03825361dbae92f10c849f9772751209a Author: Asier Lostalé <asier.lostale <at> openbravo.com> Date: Tue May 29 16:18:01 2018 +0200 URL: http://code.openbravo.com/erp/devel/pi/rev/e32f0aa03825361dbae92f10c849f9772751209a [^] fixes 38651: problems in user locking implementation Fixes some problems in user locking: 1. When defining an incremental delay for login, it is only possible to set ranges of integer seconds. Increment by 1 second on each failed attempt is too much: it should be possible to define this increment to something smaller than complete seconds. 2. After a failed login attempt, login response is delayed. While in this delay, a database connection is kept open. It would be better to return it to the pool and get another one afterwards. 3. When trying to log in with a non existing user, delay is also correctly applied. The query count number of failed attempts is checking from the beginning of the time. It should check if there was any attempt during the last one day at most. 4. After a user is locked, subsequent login attempts mark it as locked again. --- M src/org/openbravo/base/secureApp/LoginUtils.java M src/org/openbravo/base/secureApp/UserLock.java --- |
|
(0104903) caristu (developer) 2018-06-04 09:48 |
Code reviewed + tested OK. |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2018-05-29 16:14 | alostale | New Issue | |
| 2018-05-29 16:14 | alostale | Assigned To | => alostale |
| 2018-05-29 16:14 | alostale | Modules | => Core |
| 2018-05-29 16:14 | alostale | Triggers an Emergency Pack | => No |
| 2018-05-29 16:18 | alostale | Relationship added | related to 0025466 |
| 2018-05-29 16:18 | alostale | Review Assigned To | => caristu |
| 2018-05-29 16:19 | hgbot | Checkin | |
| 2018-05-29 16:19 | hgbot | Note Added: 0104776 | |
| 2018-05-29 16:19 | hgbot | Status | new => resolved |
| 2018-05-29 16:19 | hgbot | Resolution | open => fixed |
| 2018-05-29 16:19 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/e32f0aa03825361dbae92f10c849f9772751209a [^] |
| 2018-05-29 16:31 | alostale | Relationship added | blocks 0038652 |
| 2018-05-30 10:27 | alostale | Relationship added | related to 0038655 |
| 2018-06-04 09:48 | caristu | Note Added: 0104903 | |
| 2018-06-04 09:48 | caristu | Status | resolved => closed |
| 2018-06-04 09:48 | caristu | Fixed in Version | => 3.0PR18Q3 |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |