svn commit: r685036 - /incubator/jspwiki/trunk/src/com/ecyrd/jspwiki/auth/AuthenticationManager.java

[ajaquith]

Author: ajaquith
Date: Mon Aug 11 21:56:18 2008
New Revision: 685036

URL: http://svn.apache.org/viewvc?rev=685036&view=rev
Log:
Refactored TestEngine so that MockRountrips and other heavier sessions are 
lazily initialized. Also added a property to AuthenticationManager that allows 
login throttling to be switched off (for example, during unit tests). The 
effect of these two changes cuts unit test times [on my machine] from 25 
minutes down to about 4.5.

Modified:
    
incubator/jspwiki/trunk/src/com/ecyrd/jspwiki/auth/AuthenticationManager.java

Modified: 
incubator/jspwiki/trunk/src/com/ecyrd/jspwiki/auth/AuthenticationManager.java
URL: 
http://svn.apache.org/viewvc/incubator/jspwiki/trunk/src/com/ecyrd/jspwiki/auth/AuthenticationManager.java?rev=685036&r1=685035&r2=685036&view=diff
==============================================================================
--- 
incubator/jspwiki/trunk/src/com/ecyrd/jspwiki/auth/AuthenticationManager.java 
(original)
+++ 
incubator/jspwiki/trunk/src/com/ecyrd/jspwiki/auth/AuthenticationManager.java 
Mon Aug 11 21:56:18 2008
@@ -97,6 +97,9 @@
     /** Value specifying that the user wants to use the built-in JAAS-based 
system */
     public static final String                SECURITY_JAAS     = "jaas";
 
+    /** Whether logins should be throttled to limit brute-forcing attempts. 
Defaults to true. */
+    public static final String                 PROP_LOGIN_THROTTLING = 
"jspwiki.login.throttling";
+
     protected static final Logger              log                 = 
Logger.getLogger( AuthenticationManager.class );
 
     /** Prefix for LoginModule options key/value pairs. */
@@ -134,6 +137,8 @@
     /** Static Boolean for lazily-initializing the "allows assertions" flag */
     private boolean                     m_allowsCookieAssertions  = true;
 
+    private boolean                     m_throttleLogins = true;
+
     /** Static Boolean for lazily-initializing the "allows cookie 
authentication" flag */
     private boolean                     m_allowsCookieAuthentication = false;
 
@@ -175,6 +180,11 @@
                                                                     
PROP_ALLOW_COOKIE_AUTH,
                                                                     false );
         
+        // Should we throttle logins? (default: yes)
+        m_throttleLogins = TextUtil.getBooleanProperty( props,
+                                                        PROP_LOGIN_THROTTLING,
+                                                        true );
+
         // Look up the LoginModule class
         String loginModuleClassName = TextUtil.getStringProperty( props, 
PROP_LOGIN_MODULE, DEFAULT_LOGIN_MODULE );
         try
@@ -348,7 +358,11 @@
             return false;
         }
 
-        delayLogin(username);
+        // Protect against brute-force password guessing if configured to do so
+        if ( m_throttleLogins )
+        {
+            delayLogin(username);
+        }
         
         UserManager userMgr = m_engine.getUserManager();
         CallbackHandler handler = new WikiCallbackHandler(