Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13154

Lockout Duration Multiplier has no effect

    Details

    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 52
    • Story Points:
      3
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      Yes

      Description

      OPENAM-11167 breaks the 'Lockout Duration Multiplier' setting which relied on the previous approach of reading actualLockoutDuration from the profile.

       

      Steps to reproduce

      1. Enable "Login Failure Lockout Mode" and "Store Invalid Attempts in Data Store".

      2. Set "Lockout Duration Multiplier" to 2.

      3. Lock the user, wait for "Login Failure Lockout Interval" and unlock the user with a successful authentication.

      4. Lock the user again.

      5. Perform another authentication failure and check the value of actualLockoutDuration. It does not take the multiplier into account.

       

      When resetting lockout attempts after successful authentication, ISAccountLockout.resetLockoutAttempts() sets actualLockoutDuration in the profile with the multiplier.

      actualLockoutDuration = failureLockoutMultiplier*
      (currentLockoutDuration);

      But on the next failed login, since OPENAM-11167, actualLockoutDuration is overwritten with the value taken from configuration, not the profile.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                andrew.dunn Andrew Dunn [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: