Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-6362

HOTP and OATH auth-modules do not set 'failureUserID' when throwing InvalidPasswordException, this breaks OpenAM account lockout

    Details

    • Sprint:
      AM Sustaining Sprint 17
    • Support Ticket IDs:

      Description

      Whenever an

      InvalidPasswordException

      is thrown the failed 'tokenID' (userId) must be specified, otherwise AccountLockout is broken due to ...

      amAuthHOTP:07/13/2015 02:02:59:600 PM CEST: Thread[http-bio-8080-exec-1,5,main]
      HOTP.process() : HOTP code is not valid
      amLoginModule:07/13/2015 02:03:15:369 PM CEST: Thread[http-bio-8080-exec-1,5,main]
      setFailureID : demo
      ...
      amAuth:07/13/2015 02:06:22:526 PM CEST: Thread[http-bio-8080-exec-1,5,main]
      Invalid Password Exception null
      
      AMLoginModule.wrapProcess(...)
              } catch (InvalidPasswordException e) {
                  setFailureState();
                  setFailureID(e.getTokenId());
                  throw e;
      

      This is also present in the HOTP, OATH and the AuthenticatorOATH (AM 13.0.0) modules.

        Attachments

          Activity

            People

            • Assignee:
              jonthomas Jonathan Thomas
              Reporter:
              bthalmayr Bernhard Thalmayr
            • Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 2h
                2h
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 2h
                2h