REPO-1489: Slowdown of brute force attack on passwords

- Added a fix to when the Warn is shown (next login after protection is enabled) - extended tests to cover protection enabled flag. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@133276 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-10-08 14:51:49 +00:00 · 2016-11-29 13:02:59 +00:00
parent c927123331
commit 2cce1b76d5
2 changed files with 27 additions and 1 deletions
--- a/source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java
+++ b/source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java
@@ -432,7 +432,7 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
        {
            this.numLogins+=1;
            this.timeStamp = System.currentTimeMillis();
-            if (numLogins == protectionLimit && logger.isWarnEnabled())
+            if (numLogins == protectionLimit + 1 && logger.isWarnEnabled())
            {
                // Shows only first 2 symbols of the username and masks all other character with '*'
                logger.warn("Brute force attack was detected for user " +