Re: [PR] [SYNCOPE-1971] Add authentication failure throttling to avoid brute-force attack [syncope]

via GitHub Mon, 08 Jun 2026 06:06:13 -0700


massx1 commented on code in PR #1413:
URL: https://github.com/apache/syncope/pull/1413#discussion_r3373334812



##########
core/spring/src/main/java/org/apache/syncope/core/spring/security/UsernamePasswordAuthenticationProvider.java:
##########
@@ -96,23 +104,26 @@ public Authentication authenticate(final Authentication 
authentication) {
         }
 
         if (username.get() == null) {
-            username.setValue(authentication.getPrincipal().toString());
+            username.setValue(authenticatingPrincipal);
         }
 
         return finalizeAuthentication(
                 domainKey,
+                authenticatingPrincipal,

Review Comment:
   to block what a malicious user is actually using to authenticate, even when 
that user does not exist.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] [SYNCOPE-1971] Add authentication failure throttling to avoid brute-force attack [syncope]

Reply via email to