[OPENAM-6362] HOTP and OATH auth-modules do not set 'failureUserID' when throwing InvalidPasswordException, this breaks OpenAM account lockout Created: 13/Jul/15  Updated: 16/Jan/17  Resolved: 18/Feb/16

Status: Resolved
Project: OpenAM
Component/s: authentication
Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 13.0.0
Fix Version/s: 12.0.3, 13.5.0

Type: Bug Priority: Major
Reporter: Bernhard Thalmayr Assignee: Jonathan Thomas
Resolution: Fixed Votes: 1
Labels: EDISON, release-notes
Remaining Estimate: 0h
Time Spent: 2h
Original Estimate: 2h

Target Version/s:
Sprint: AM Sustaining Sprint 17
Support Ticket IDs:

 Description   

Whenever an

InvalidPasswordException

is thrown the failed 'tokenID' (userId) must be specified, otherwise AccountLockout is broken due to ...

amAuthHOTP:07/13/2015 02:02:59:600 PM CEST: Thread[http-bio-8080-exec-1,5,main]
HOTP.process() : HOTP code is not valid
amLoginModule:07/13/2015 02:03:15:369 PM CEST: Thread[http-bio-8080-exec-1,5,main]
setFailureID : demo
...
amAuth:07/13/2015 02:06:22:526 PM CEST: Thread[http-bio-8080-exec-1,5,main]
Invalid Password Exception null
AMLoginModule.wrapProcess(...)
        } catch (InvalidPasswordException e) {
            setFailureState();
            setFailureID(e.getTokenId());
            throw e;

This is also present in the HOTP, OATH and the AuthenticatorOATH (AM 13.0.0) modules.



 Comments   
Comment by Jonathan Thomas [ 24/Sep/15 ]

There are also InvalidPasswordException invoked without the tokenID in the
LDAP
DataStore and
Membership
Each is invoked when a password Password is null/empty.

Comment by Peter Major [X] (Inactive) [ 03/Feb/16 ]

Fix is already in CR need to carry this out.

Generated at Tue Sep 22 11:43:38 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.