-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
5
-
It is currently difficult to determine if invalid authentication requests are coming from applications like Confluence when "Remember Me" is checked.
For example, if a user changes their Crowd password, then they open a browser with multiple tabs to Confuence, it will register multiple invalid password attempts.
All that is logged in Crowd Debug logging is:
DEBUG [crowd.manager.application.ApplicationServiceGeneric] authenticate: user dyu DEBUG [crowd.model.principal.PrincipalDAOHibernate] Updating Principal: com.atlassian.crowd.integration.model.RemotePrincipal@17bf658[ID=-1,name=dyu,directoryID=98306,active=true,conception=2009-02-20 16:08:33.0,lastModified=2009-04-09 08:15:22.0] DEBUG [util.persistence.hibernate.HibernateDao] Updating object: com.atlassian.crowd.integration.model.RemotePrincipal@17bf658[ID=-1,name=dyu,directoryID=98306,active=true,conception=2009-02-20 16:08:33.0,lastModified=2009-04-09 08:15:22.0] DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Closing single Hibernate Session in OpenSessionInViewFilter
There is no indication that the login failed. This can cause supportability issues if they have Maximum Password Attempts enabled. An account can become locked and it would be difficult to determine why.
Crowd currently has no way to determine if an authentication request came from a seraph cookie or just the login form of an app.
All that seraph is doing is 'de-crypting' the username and password from the users cookie and passing this onto Crowd via the standard auth request.
Perhaps we could log a debug call in our JIRA and Confluence seraph code that we are about to send an auth request to Crowd that is via the remember-me password.
Actually we already do this!
/** * Attempts to authenticate the request based on the auto-login cookie (if set). * This will only authenticate to Crowd via HttpAuthenticator. This will not set * any session variables and the like. * * @param request servlet request. * @param response servlet response. * @return true if authentication via HttpAuthenticator using auto-login credentials successful. */ protected boolean autoLoginToCrowd(HttpServletRequest request, HttpServletResponse response) { Cookie cookie = CookieFactory.getCookieHandler().getCookie(request, getLoginCookieKey()); if (cookie == null) { return false; } String[] values = decodeCookie(cookie.getValue()); if (ArrayUtils.isEmpty(values)) { return false; } String username = values[0]; String password = values[1]; logger.debug("Got username and password from auto-login cookie, attempting to authenticate user"); // perform login (note: we cant call login as login first checks isAuthenticated, which would call this method, resulting in a loop) try { httpAuthenticator.authenticate(request, response, username, password); logger.debug("User authenticated via auto-login cookie"); return true; } catch (Exception e) { logger.debug("Could not auto-login authenticate user " + username, e); if (response != null) { // remove all auto-login information CookieFactory.getCookieHandler().invalidateCookie(request, response, getLoginCookieKey(), "/"); } return false; } }Justin