[Geoserver-devel] [JIRA] (GEOS-8850) Brute force prevention delay triggered for all login attempts

[Davlet Panech (JIRA)]

Title: Message Title

Davlet Panech created an issue   GeoServer / GEOS-8850 Brute force prevention delay triggered for all login attempts Issue Type: Bug Affects Versions: 2.10.4, 2.13.1 Assignee: Unassigned Created: 17/Jul/18 5:20 PM Priority: Medium Reporter: Davlet Panech Attempting to login with any user/password other than admin/geoserver results in brute force attack prevention measures being activated, even with perfectly valid logins. I can clearly see (in a debugger) that the class BruteForceListener is always invoked twice – once for the actual user login sent from the login form, and then the second time with "admin/geoserver" credentials. I think this is because the home page is trying to check whether the default admin password has been changed in order to display a warning. Anyway, this results in log messages claiming there was a failed login attempt, as well as a few second delay being triggered. I tested this in 2.10.4 and 2.13.1, it looks like this bug has been around for a while. How to reproduce Start geoserver on top of the default data directory included with binary distributions Login as admin Change admin password; the change is accepted, but server log output contains this: [...] 16 Jul 12:10:30 INFO [security.xml] - Successful lock: security/usergroup/default/users.xml.lock 16 Jul 12:10:30 INFO [geoserver.security] - Start storing user/groups for service named default 16 Jul 12:10:30 INFO [geoserver.security] - Storing user/groups successful for service named default 16 Jul 12:10:30 INFO [geoserver.security] - Start reloading user/groups for service named default 16 Jul 12:10:30 INFO [geoserver.security] - Reloading user/groups successful for service named default 16 Jul 12:10:30 INFO [geoserver.security] - Adjusted last modified for file: security/usergroup/default/users.xml 16 Jul 12:10:30 INFO [security.xml] - Successful lock: security/role/default/roles.xml.lock 16 Jul 12:10:30 INFO [geoserver.security] - Storing unnecessary, no change for roles 16 Jul 12:10:30 WARN [geoserver.security] - Failed login, user admin from 0:0:0:0:0:0:0:1 16 Jul 12:10:30 INFO [geoserver.security] - Brute force attack prevention, delaying login for 4981ms 16 Jul 12:10:39 INFO [geoserver.security] - Start reloading user/groups for service named default 16 Jul 12:10:39 INFO [geoserver.security] - Reloading user/groups successful for service named default 16 Jul 12:10:39 INFO [geoserver.security] - Adjusted last modified for file: security/usergroup/default/users.xml [...] Note the "Failed login... / Brute force attack prevention ..." lines Log out and log in with the new password Credentials are accepted accepted, but response is delayed and this appears in server output: 16 Jul 12:11:04 WARN [geoserver.security] - Failed login, user admin from 0:0:0:0:0:0:0:1 16 Jul 12:11:04 INFO [geoserver.security] - Brute force attack prevention, delaying login for 1357ms Add Comment   Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100089-sha1:2806cf0)

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel