[OPENAM-10905] Memory account lock does not use a consistent User ID value when storing lockout count in cache Created: 17/Mar/17 Updated: 09/Jan/18 Resolved: 31/Mar/17 |
|
| Status: | Resolved |
| Project: | OpenAM |
| Component/s: | authentication |
| Affects Version/s: | 12.0.0, 12.0.1, 12.0.3, 12.0.4, 13.0.0, 13.5.0 |
| Fix Version/s: | 13.5.1, 14.5.0, 14.1.2 |
| Type: | Bug | Priority: | Major |
| Reporter: | Mark de Reeper | Assignee: | Mark de Reeper |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | EDISON | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
OpenAM with account lock enabled and using memory rather than LDAP to store the failed attempts. |
||
| Issue Links: |
|
||||||||
| Rank: | 1|hzt4fj: | ||||||||
| Sprint: | AM Sustaining Sprint 36, AM Sustaining Sprint 37 | ||||||||
| Story Points: | 3 | ||||||||
| QA Assignee: | Filip Kubáň [X] (Inactive) | ||||||||
| Verified Version/s: | |||||||||
| Description |
|
Memory account lock does not use a consistent User ID value when reading and writing lockout count in cache which can lead a user not being seen as locked out when in fact they should be after number of failed authentication attempts has hit the maximum allowed. The following log snip is based on results on a debug patch used on a customer site seeing this issue illustrating the different variations being used when updating the count and checking for existing counts: ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:id=test1,ou=user,o=ci,ou=services,dc=openam,dc=forgerock,dc=org ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local ERROR: ISAccountLockout.invalidPasswd: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local ERROR: ISAccountLockout.getAcInfo: acInfo:com.sun.identity.common.AccountLockoutInfo@2265f320 for userDN:cn=test1,ou=internal users,ou=testusers,dc=dev,dc=local ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:test1 ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:id=test1,ou=user,o=ci,ou=services,dc=openam,dc=forgerock,dc=org ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:test1 ERROR: ISAccountLockout.getAcInfo: acInfo:null for userDN:id=test1,ou=user,o=ci,ou=services,dc=openam,dc=forgerock,dc=org |
| Comments |
| Comment by Filip Kubáň [X] (Inactive) [ 26/Apr/17 ] |
|
Verified fix on OpenAM 13.5.1-RC2 Build 149fc42dac (2017-April-20 08:29) |
| Comment by Filip Kubáň [X] (Inactive) [ 12/May/17 ] |
|
To reproduce -Setup account lockout with cache used for storing lockout. |
| Comment by Ľubomír Mlích [ 06/Oct/17 ] |
|
Verified in: OpenAM 14.1.2-M1 Build ec49e2d3c5 (2017-October-03 13:59) ERROR: ISAccountLockout.getAcInfo: acInfo: actualLockoutDuration=60000, failCount=1, lastFailTime=1507272636215, locked=false, lockoutAt=0, userToken=test, userWarningCount=0 for ID: id=test,ou=user,dc=openam,dc=forgerock,dc=org amAccountLockout:10/06/2017 07:50:54:706 dop. BST: Thread[http-bio-8080-exec-10,5,main]: TransactionId[42da6b67-f27c-4689-aa79-cce56295aee4-490221] ERROR: ISAccountLockout.getAcInfo: acInfo: actualLockoutDuration=60000, failCount=1, lastFailTime=1507272636215, locked=false, lockoutAt=0, userToken=test, userWarningCount=0 for ID: id=test,ou=user,dc=openam,dc=forgerock,dc=org amAccountLockout:10/06/2017 07:50:55:625 dop. BST: Thread[http-bio-8080-exec-10,5,main]: TransactionId[42da6b67-f27c-4689-aa79-cce56295aee4-490239] ERROR: ISAccountLockout.getAcInfo: acInfo: actualLockoutDuration=60000, failCount=2, lastFailTime=1507272654707, locked=false, lockoutAt=0, userToken=test, userWarningCount=0 for ID: id=test,ou=user,dc=openam,dc=forgerock,dc=org amAccountLockout:10/06/2017 07:50:56:456 dop. BST: Thread[http-bio-8080-exec-3,5,main]: TransactionId[42da6b67-f27c-4689-aa79-cce56295aee4-490259] ERROR: ISAccountLockout.getAcInfo: acInfo: actualLockoutDuration=60000, failCount=3, lastFailTime=1507272655626, locked=true, lockoutAt=1507272655626, userToken=test, userWarningCount=0 for ID: id=test,ou=user,dc=openam,dc=forgerock,dc=org |