mirror of
				https://github.com/Alfresco/alfresco-community-repo.git
				synced 2025-10-22 15:12:38 +00:00 
			
		
		
		
	REPO-1489: Slowdown of brute force attack on passwords
- Added a fix to when the Warn is shown (next login after protection is enabled) - extended tests to cover protection enabled flag. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@133276 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
		| @@ -432,7 +432,7 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp | ||||
|         { | ||||
|             this.numLogins+=1; | ||||
|             this.timeStamp = System.currentTimeMillis(); | ||||
|             if (numLogins == protectionLimit && logger.isWarnEnabled()) | ||||
|             if (numLogins == protectionLimit + 1 && logger.isWarnEnabled()) | ||||
|             { | ||||
|                 // Shows only first 2 symbols of the username and masks all other character with '*' | ||||
|                 logger.warn("Brute force attack was detected for user " + | ||||
|   | ||||
| @@ -156,6 +156,32 @@ public class AuthenticationServiceImplTest | ||||
|                 cache.get(USERNAME)); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void testProtectionDisabledBadPassword() | ||||
|     { | ||||
|         int attempts = 5; | ||||
|         authService.setProtectionPeriodSeconds(99999); | ||||
|         authService.setProtectionLimit(attempts - 2); | ||||
|         authService.setProtectionEnabled(false); | ||||
|  | ||||
|         Exception spoofedAE = new AuthenticationException("Bad password"); | ||||
|         doThrow(spoofedAE).when(authenticationComponent).authenticate(USERNAME, PASSWORD); | ||||
|         for (int i = 0; i < attempts; i++) | ||||
|         { | ||||
|             try | ||||
|             { | ||||
|                 authService.authenticate(USERNAME, PASSWORD); | ||||
|                 fail("The " + AuthenticationException.class.getName() + " should have been thrown."); | ||||
|             } | ||||
|             catch (AuthenticationException ae) | ||||
|             { | ||||
|                 assertTrue("Expected failure from AuthenticationComponent", ae == spoofedAE); | ||||
|             } | ||||
|         } | ||||
|         verify(authenticationComponent, times(attempts)).authenticate(USERNAME, PASSWORD); | ||||
|         assertNull("The user should not be in the cache.", cache.get(USERNAME)); | ||||
|     } | ||||
|  | ||||
|     private class MockCache<K extends Serializable, V> implements SimpleCache<K,V> | ||||
|     { | ||||
|         private Map<K,V> internalCache; | ||||
|   | ||||
		Reference in New Issue
	
	Block a user