[
https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17502823#comment-17502823
]
kirby zhou commented on RANGER-2362:
------------------------------------
Authentication backend such as ldapam has its own lockout mechanism, so just
need to do somethings at JDBC branch. Which is DaoAuthenticationProvider,
DaoAuthenticationProvider::retrieveUser call
UserDetailsService::loadUsersByUsername to get user details. UserDetails have a
Nonlocked property.
The UserDetailsService object is actually a JdbcUserDetailsManager.
Unfortunately JdbcUserDetailsManager|JdbcDaoImpl::loadUsersByUsername do not
load "Nonlocked" from Database, although it loads "enabled" which used by
admin to disable user by hand.
{code:java}
protected List<UserDetails> loadUsersByUsername(String username) {
// @formatter:off
RowMapper<UserDetails> mapper = (rs, rowNum) -> {
String username1 = rs.getString(1);
String password = rs.getString(2);
boolean enabled = rs.getBoolean(3);
return new User(username1, password, enabled, true, true, /* nonlocked:
*/ true, AuthorityUtils.NO_AUTHORITIES);
};
// @formatter:on
return getJdbcTemplate().query(this.usersByUsernameQuery, mapper, username);
} {code}
An Simple Way:
subclass DaoAuthenticationProvider to provide a in-memory lock mech.
override additionalAuthenticationChecks to lock user when many failures.
override retrieveUser to set nonlocked attr into UserDetails.
> [security] Admin webui - Lack of account lockout
> ------------------------------------------------
>
> Key: RANGER-2362
> URL: https://issues.apache.org/jira/browse/RANGER-2362
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
> Affects Versions: 1.0.0
> Reporter: t oo
> Priority: Major
>
> |Account lockout is a mechanism used to stop non-valid users from guessing
> for the right password. It is also a protection against brute force attacks
> wherein an automated system can use common/dictionary passwords or even build
> passwords based on set of characters just to try to guess the valid one.|
> |The application does not implement an account lockout mechanism, leaving it
> susceptible to brute force attacks. These login pages were susceptible to
> this condition.|
> |It is possible for an attacker to use dictionary or brute force attacks and
> set it to attempt sending the requests on a particular amount of time to
> bypass the validation. Once a username has been correctly guessed, the
> attacker may then be able to gain access to the application. Since it is
> vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the
> email addresses easier to guess, it will make brute force attack to more
> likely possible.
> |Enforce account lockout conditions to prevent intrusions and improve
> password requirements and complexities to avoid the chances of brute force
> and dictionary attacks from working.|
> |
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
