Bug 1255814
| Summary: | brute force prevention login delay should not be applied to successful login requests | ||
|---|---|---|---|
| Product: | [oVirt] ovirt-engine-extension-aaa-jdbc | Reporter: | Juan Hernández <juan.hernandez> |
| Component: | General | Assignee: | Martin Perina <mperina> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ondra Machacek <omachace> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 1.0.0 | CC: | alonbl, bugs, oourfali, s.kieske, ylavi |
| Target Milestone: | ovirt-3.6.0-rc | Keywords: | Regression |
| Target Release: | 1.0.0 | Flags: | ylavi:
ovirt-3.6.0?
rule-engine: blocker? rule-engine: planning_ack? rule-engine: devel_ack+ pstehlik: testing_ack+ |
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | infra | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-04 13:35:30 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Juan Hernández
2015-08-21 15:45:01 UTC
The delay after login attempt is intended as a protection against brute force attacks. The timeout can be changed using ovirt-aaa-jdbc-tool settings set --name=MINIMUM_RESPONSE_SECONDS --value=NNN where NNN is timeout in seconds. Logout command is not supported in aaa-jdbc extension, so there should be no delay when closing the session. If it is intended to protect from brute force attacks then the delay should be included only for failed requests, not for successful ones. And please remember to add this to the release notes. (In reply to Juan Hernández from comment #2) > If it is intended to protect from brute force attacks then the delay should > be included only for failed requests, not for successful ones. Hmm, I didn't noticed on the 1st look that the timeout is applied every time, I will fix that, thanks. I will need to investigate the logout timeout, not sure what causes it. It isn't a logout request, rather a request to close the session. It looks like this: GET /ovirt-engine/api HTTP/1.1 Authorization: Basic Y...z Cookie: JSESSIONID=8...I Note that this request it doesn't include the "Prefer: persistent-auth" header. When the "Authorization" header is included (and correct), the "Prefer" header isn't included, and the JSESSIONID cookie is included (and correct) the meaning is "close this session". In this case the delay is also applied, and it shouldn't. I guess that if you remove the delay when the authentication is successful then the delay in this case will also be removed. Fixed in ovirt-engine-extension-aaa-jdbc-1.0.0-0.0.master.20150831142449.git4d9c713 Fix contained in oVirt 3.6.0 RC1 Fixed bug tickets must have version flags set prior to fixing them. Please set the correct version flags and move the bugs back to the previous status after this is corrected. This bug report has Keywords: Regression or TestBlocker. Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP. ok with ovirt-engine-extension-aaa-jdbc-1.0.0-2.el6ev.noarch oVirt 3.6.0 has been released on November 4th, 2015 and should fix this issue. If problems still persist, please open a new BZ and reference this one. |