Anonymous | Login

Project:

News | My View | View Issues | Roadmap | Summary

View Issue Details[ Jump to Notes ]

[ Issue History ] [ Print ]

ID

0046189

Type

Category

Severity

Reproducibility

Date Submitted

Last Update

defect

[Openbravo ERP] A. Platform

major

have not tried

2021-03-31 08:46

2021-03-31 16:01

Reporter

alostale

View Status

public

Assigned To

alostale

Priority

normal

Resolution

fixed

Fixed in Version

PR21Q2

Status

closed

Fix in branch

Fixed in SCM revision

Projection

none

ETA

none

Target Version

OS

Any

Database

Any

Java version

OS Version

Database version

Ant version

Product Version

SCM revision

Review Assigned To

Web browser

Modules

Core

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

No

Summary

0046189: WS calls UserLock for every request even within the same session

Description

UserLock feature is checked for all webservice calls even they are done within the context of a valid session.

This mechanism only makes sense while authenticating, but not once the session is created and it's valid.

Steps To Reproduce

0. Enable debugging log level for org.openbravo.base.secureApp.UserLock
1. Perform a WS request
-> OK: checking logs UserLock is invoked
2. Keeping the same session in the client, perform another WS request
-> ERROR: checking logs UserLock is invoked

Here you can find a client to test it:
https://gitlab.com/alo-issues/openbravo/-/snippets/2098452 [^]

Tags

NOR, Performance

Relationships [ Relation Graph ] [ Dependency Graph ]

related to

defect

new

Triage Platform Base

UserLock feature (delay login on wrong login) has bad performance by default

Notes
(0127064) hgbot (developer) 2021-03-31 09:05	Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/341 [^]

(0127074) hgbot (developer) 2021-03-31 16:01	Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/341 [^]

(0127075) hgbot (developer) 2021-03-31 16:01	Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/openbravo/product/openbravo [^] Changeset: 80a46c11f8488ef0cd1462dc211af35ca3737317 Author: Asier Lostalé <asier.lostale@openbravo.com> Date: 2021-03-31T08:57:28+02:00 URL: https://gitlab.com/openbravo/product/openbravo/-/commit/80a46c11f8488ef0cd1462dc211af35ca3737317 [^] fixed BUG-46189: WS calls UserLock in every request even within the same session Whenever a webservice request was received, even if a session was created for it already, doWebServiceAuthenticate method was invoked. This method is in charge of validating the user is valid, but if the session is already valid it is not necessary to invoke it. Furthermore, in the DefaultAuthenticationManager, it cheks user lock to prevent brute force attacks, this is also worthless having an active session. Now we check whether there's a valid session (httpSession + OBContext set with a user ID), in this case doWebServiceAuthenticate is bypassed. --- M src/org/openbravo/authentication/AuthenticationManager.java ---

Issue History
Date Modified	Username	Field	Change
2021-03-31 08:46	alostale	New Issue
2021-03-31 08:46	alostale	Assigned To	=> platform
2021-03-31 08:46	alostale	Modules	=> Core
2021-03-31 08:46	alostale	Triggers an Emergency Pack	=> No
2021-03-31 08:52	alostale	Steps to Reproduce Updated	View Revisions
2021-03-31 08:52	alostale	Relationship added	related to 0044414
2021-03-31 09:05	hgbot	Note Added: 0127064
2021-03-31 12:35	rafaroda	Tag Attached: NOR
2021-03-31 12:42	alostale	Assigned To	platform => alostale
2021-03-31 12:43	alostale	Tag Attached: Performance
2021-03-31 16:01	hgbot	Resolution	open => fixed
2021-03-31 16:01	hgbot	Status	new => closed
2021-03-31 16:01	hgbot	Note Added: 0127074
2021-03-31 16:01	hgbot	Fixed in Version	=> PR21Q2
2021-03-31 16:01	hgbot	Note Added: 0127075

Copyright © 2000 - 2009 MantisBT Group