[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17502823#comment-17502823 ]
kirby zhou commented on RANGER-2362: ------------------------------------ Authentication backend such as ldapam has its own lockout mechanism, so just need to do somethings at JDBC branch. Which is DaoAuthenticationProvider, DaoAuthenticationProvider::retrieveUser call UserDetailsService::loadUsersByUsername to get user details. UserDetails have a Nonlocked property. The UserDetailsService object is actually a JdbcUserDetailsManager. Unfortunately JdbcUserDetailsManager|JdbcDaoImpl::loadUsersByUsername do not load "Nonlocked" from Database, although it loads "enabled" which used by admin to disable user by hand. {code:java} protected List<UserDetails> loadUsersByUsername(String username) { // @formatter:off RowMapper<UserDetails> mapper = (rs, rowNum) -> { String username1 = rs.getString(1); String password = rs.getString(2); boolean enabled = rs.getBoolean(3); return new User(username1, password, enabled, true, true, /* nonlocked: */ true, AuthorityUtils.NO_AUTHORITIES); }; // @formatter:on return getJdbcTemplate().query(this.usersByUsernameQuery, mapper, username); } {code} An Simple Way: subclass DaoAuthenticationProvider to provide a in-memory lock mech. override additionalAuthenticationChecks to lock user when many failures. override retrieveUser to set nonlocked attr into UserDetails. > [security] Admin webui - Lack of account lockout > ------------------------------------------------ > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger > Affects Versions: 1.0.0 > Reporter: t oo > Priority: Major > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.1#820001)