mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-10-08 14:51:49 +00:00
REPO-1489: Slowdown of brute force attack on passwords
- Added a fix to when the Warn is shown (next login after protection is enabled) - extended tests to cover protection enabled flag. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@133276 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
@@ -432,7 +432,7 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
|
|||||||
{
|
{
|
||||||
this.numLogins+=1;
|
this.numLogins+=1;
|
||||||
this.timeStamp = System.currentTimeMillis();
|
this.timeStamp = System.currentTimeMillis();
|
||||||
if (numLogins == protectionLimit && logger.isWarnEnabled())
|
if (numLogins == protectionLimit + 1 && logger.isWarnEnabled())
|
||||||
{
|
{
|
||||||
// Shows only first 2 symbols of the username and masks all other character with '*'
|
// Shows only first 2 symbols of the username and masks all other character with '*'
|
||||||
logger.warn("Brute force attack was detected for user " +
|
logger.warn("Brute force attack was detected for user " +
|
||||||
|
@@ -156,6 +156,32 @@ public class AuthenticationServiceImplTest
|
|||||||
cache.get(USERNAME));
|
cache.get(USERNAME));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testProtectionDisabledBadPassword()
|
||||||
|
{
|
||||||
|
int attempts = 5;
|
||||||
|
authService.setProtectionPeriodSeconds(99999);
|
||||||
|
authService.setProtectionLimit(attempts - 2);
|
||||||
|
authService.setProtectionEnabled(false);
|
||||||
|
|
||||||
|
Exception spoofedAE = new AuthenticationException("Bad password");
|
||||||
|
doThrow(spoofedAE).when(authenticationComponent).authenticate(USERNAME, PASSWORD);
|
||||||
|
for (int i = 0; i < attempts; i++)
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
authService.authenticate(USERNAME, PASSWORD);
|
||||||
|
fail("The " + AuthenticationException.class.getName() + " should have been thrown.");
|
||||||
|
}
|
||||||
|
catch (AuthenticationException ae)
|
||||||
|
{
|
||||||
|
assertTrue("Expected failure from AuthenticationComponent", ae == spoofedAE);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
verify(authenticationComponent, times(attempts)).authenticate(USERNAME, PASSWORD);
|
||||||
|
assertNull("The user should not be in the cache.", cache.get(USERNAME));
|
||||||
|
}
|
||||||
|
|
||||||
private class MockCache<K extends Serializable, V> implements SimpleCache<K,V>
|
private class MockCache<K extends Serializable, V> implements SimpleCache<K,V>
|
||||||
{
|
{
|
||||||
private Map<K,V> internalCache;
|
private Map<K,V> internalCache;
|
||||||
|
Reference in New Issue
Block a user