REPO-1489: Slowdown of brute force attack on passwords

- Added a fix to when the Warn is shown (next login after protection is enabled)
   - extended tests to cover protection enabled flag.


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@133276 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alex Mukha
2016-11-29 13:02:59 +00:00
parent c927123331
commit 2cce1b76d5
2 changed files with 27 additions and 1 deletions

View File

@@ -432,7 +432,7 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
{ {
this.numLogins+=1; this.numLogins+=1;
this.timeStamp = System.currentTimeMillis(); this.timeStamp = System.currentTimeMillis();
if (numLogins == protectionLimit && logger.isWarnEnabled()) if (numLogins == protectionLimit + 1 && logger.isWarnEnabled())
{ {
// Shows only first 2 symbols of the username and masks all other character with '*' // Shows only first 2 symbols of the username and masks all other character with '*'
logger.warn("Brute force attack was detected for user " + logger.warn("Brute force attack was detected for user " +

View File

@@ -156,6 +156,32 @@ public class AuthenticationServiceImplTest
cache.get(USERNAME)); cache.get(USERNAME));
} }
@Test
public void testProtectionDisabledBadPassword()
{
int attempts = 5;
authService.setProtectionPeriodSeconds(99999);
authService.setProtectionLimit(attempts - 2);
authService.setProtectionEnabled(false);
Exception spoofedAE = new AuthenticationException("Bad password");
doThrow(spoofedAE).when(authenticationComponent).authenticate(USERNAME, PASSWORD);
for (int i = 0; i < attempts; i++)
{
try
{
authService.authenticate(USERNAME, PASSWORD);
fail("The " + AuthenticationException.class.getName() + " should have been thrown.");
}
catch (AuthenticationException ae)
{
assertTrue("Expected failure from AuthenticationComponent", ae == spoofedAE);
}
}
verify(authenticationComponent, times(attempts)).authenticate(USERNAME, PASSWORD);
assertNull("The user should not be in the cache.", cache.get(USERNAME));
}
private class MockCache<K extends Serializable, V> implements SimpleCache<K,V> private class MockCache<K extends Serializable, V> implements SimpleCache<K,V>
{ {
private Map<K,V> internalCache; private Map<K,V> internalCache;