[MAGNOLIA-3557] Implement automatic account lockout after a number of failed log-ins Created: 22/Feb/11  Updated: 08/Sep/11  Resolved: 14/Apr/11

Status: Closed
Project: Magnolia
Component/s: core
Affects Version/s: None
Fix Version/s: 4.4.3

Type: New Feature Priority: Major
Reporter: Daniel Lipp Assignee: Ondrej Chytil
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
causality
is causing MAGNOLIA-3671 User locked under heavy load. Closed
is causing DOCU-148 Account lockout after failed attempts Closed
relation
is related to MAGNOLIA-3742 Implement account lockout feature in ... Closed
is related to MAGNOLIA-3827 Account lockout log messages should b... Closed
Template:
Acceptance criteria:
Empty
Date of First Response:

 Description   

There currently is no automatic logout, and since one can use the URL to provide log-in parameters, this could be used to force-guess passwords.

Details (copied from Security Report):

Severity: High
Test Type: Application
Vulnerable URL: http://ccd02-01:8080/magnoliaPublic/.magnolia/pages/adminCentral.html (Parameter = mgnlUserPSWD)
Remediation Tasks: Enforce account lockout after several failed login attempts



 Comments   
Comment by Magnolia International [ 11/Apr/11 ]

Please extract the task to an independent class rather than assemble so many of them. Will make the MVH easier to read, and the task itself too. If you need several "ifs" and "set or create", you're often better off implementing your own Task rather than doing this (so you can simply work on the node directly rather than describe delegate tasks). This will also help avoiding redundancy in task descriptions, path and property names. And ultimately, it should also help making your task easier to test.

Comment by Jan Haderka [ 14/Apr/11 ]

change location of update tasks and improve readability of the code.

Generated at Mon Feb 12 03:47:36 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.