Uploaded image for project: 'Alfresco One Platform'
  1. Alfresco One Platform
  2. ACE-5763

Multiple authentication failed attempts when disabled user tries to browse repository

    Details

    • Type: Bug
    • Status: Ready to Test (View Workflow)
    • Resolution: Won't Fix
    • Affects Version/s: 5.2
    • Fix Version/s: None
    • Component/s: Share Application
    • Labels:
      None
    • Environment:
      Alfresco OOTB

      Description

      Description:
      If a user account is disabled while the user is browsing the repository in Share, multiple authenticate calls are being made (endless loop calls)

      Predefined/Config:
      Install Alfresco 5.2.1 OOTB (from 5.2.N branch)
      Have two working browsers

      Steps to reproduce:

      1. Using browser1: Create User1
      2. Using browser2: Log in Share and create Site1 using User1
      3. Using browser1: Disable the user account in Share using admin
      4. Using browser2: Click on DocumentLibrary on Site1

      Expected results:
      Since User1 account is disabled he is no longer able to view DocumentLibrary.
      Only one authentication request is made and a message that the user cannot view requested resource is displayed

      Actual results:
      User1 cannot view DocumentLibrary - OK
      Multiple authentication requests are made, page is reloaded endlessly in Share. Errors are displayed in Dashlets if the user tries to go to User Dashboard:

      After some retries the user account is locked as part of the "Brute force attack" prevention mechanism:

      2017-01-30 14:56:41,233 WARN  [org.alfresco.repo.security.authentication.AuthenticationContextImpl] [http-apr-8080-exec-5] User is disabled [an*******] - cannot set details for user
      2017-01-30 14:56:41,250 WARN  [org.alfresco.repo.security.authentication.AuthenticationContextImpl] [http-apr-8080-exec-6] User is disabled [an*******] - cannot set details for user
      2017-01-30 14:56:41,461 WARN  [org.alfresco.repo.security.authentication.AuthenticationContextImpl] [http-apr-8080-exec-8] User is disabled [an*******] - cannot set details for user
      2017-01-30 14:56:41,476 WARN  [org.alfresco.repo.security.authentication.AuthenticationServiceImpl] [http-apr-8080-exec-7] Brute force attack was detected for user: an*******
      2017-01-30 14:56:41,481 WARN  [org.alfresco.repo.security.authentication.AuthenticationContextImpl] [http-apr-8080-exec-1] User is disabled [an*******] - cannot set details for user
      2017-01-30 14:56:41,490 WARN  [org.alfresco.repo.security.authentication.AuthenticationContextImpl] [http-apr-8080-exec-5] User is disabled [an*******] - cannot set details for user
      

        Attachments

          Activity

            People

            • Assignee:
              uiteam Web Apps (Inactive)
              Reporter:
              aforascu Andrei Forascu
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: