Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15766

LoginState - account lockout is checkout although AM AccountLockout is disabled

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Cannot Reproduce
    • 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 14.1.1.1, 14.1.1.2, 14.1.1.3, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 14.1.1.4, 6.0.0.5, 14.1.1.5, 14.1.2.2, 6.5.0, 6.0.0.6, 6.5.0.1, 6.0.0.7, 14.1.2.3, 6.5.1, 6.5.0.2, 14.1.2.4, 6.5.2, 6.5.2.1, 6.5.2.2, 14.1.2.5, 14.1.2.11
    • None
    • authentication
    • Oracle JDK 1.8.0_201-b09
      Apache Tomcat/9.0.8
      AM 6.0.0
    • AM Sustaining Sprint 70, AM Sustaining Sprint 71
    • 2

      Description

      Bug description

      _REST Authenticate call returns '

      {"code":401,"reason":"Unauthorized","message":"Your account has been locked."}

      ' although identity does not exist_

      How to reproduce the issue

      1. Auth-Chain - persistent cookie module , LDAP authentication module
      2. Core Auth Settings - User Profile - required; no AM account locking
      3. DS - no account locking
      4. Custom IdRepo implementation, supported types and ops ('user=read')
      5. Perform REST-based authentication, e.g. using Postman
      6. Check that persistent auth cookie is present in Postman
      7. Remove all cookies from Postman, but the persistent auth cookie
      8. Remove identity used for authentication from user data store
      9. Perform REST-based authentication again
      Expected behaviour
      REST authenticate call should return '{"code":401,"reason":"Unauthorized","message":"User Requires Profile to Login"}'
      
      Current behaviour
      REST authenticate call returns '{"code":401,"reason":"Unauthorized","message":"Your account has been locked."}'
      

      Code analysis

      com.sun.identity.authentication.service.LoginState.java
      ...
          public boolean isAccountLocked(String username) {
              if (StringUtils.isEmpty(username) || isApplicationModule(indexName)) {
                  return false;
              }
              AMAccountLockout amAccountLockout = new AMAccountLockout(this);
              return amAccountLockout.isLockedOut(username) || amAccountLockout.isAccountLocked(username);
          }
      
      ...
      

      should be changed to, see attached diff

          public boolean isAccountLocked(String username) {
              boolean isAccountLocked = false;
              if (StringUtils.isEmpty(username) || isApplicationModule(indexName)) {
                  return isAccountLocked;
              }
              AMAccountLockout amAccountLockout = new AMAccountLockout(this);
              if (amAccountLockout.isLockoutEnabled()) {
                  isAccountLocked = amAccountLockout.isLockedOut(username) || amAccountLockout.isAccountLocked(username);
              }
              return  isAccountLocked;
      
          }
      

        Attachments

          Activity

            People

            lawrence.yarham Lawrence Yarham
            bthalmayr Bernhard Thalmayr
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: