From d443d864e149a00ac998f14980663cc5b94cd7f4 Mon Sep 17 00:00:00 2001
From: Joze RIHTARSIC <joze.RIHTARSIC@ext.ec.europa.eu>
Date: Mon, 27 Jun 2022 13:30:26 +0200
Subject: [PATCH] small fixes
---
.../ec/edelivery/smp/conversion/DBUserToUserROConverter.java | 2 +-
.../ec/edelivery/smp/auth/SMPAuthenticationProvider.java | 2 +-
.../ec/edelivery/smp/auth/SMPAuthenticationProviderForUI.java | 3 +--
3 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/conversion/DBUserToUserROConverter.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/conversion/DBUserToUserROConverter.java
index 54451c01b..6054bd436 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/conversion/DBUserToUserROConverter.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/conversion/DBUserToUserROConverter.java
@@ -48,7 +48,7 @@ public class DBUserToUserROConverter implements Converter<DBUser, UserRO> {
target.setLastTokenFailedLoginAttempt(source.getLastTokenFailedLoginAttempt());
target.setTokenSuspendedUtil(getSuspensionUntilDate(source.getLastTokenFailedLoginAttempt(),
source.getSequentialTokenLoginFailureCount(),
- configurationService.getAccessTokenLoginFailDelayInMilliSeconds(),
+ configurationService.getAccessTokenLoginSuspensionTimeInSeconds(),
configurationService.getAccessTokenLoginMaxAttempts()));
target.setActive(source.isActive());
diff --git a/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProvider.java b/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProvider.java
index e5f05a6c4..bc13a886c 100644
--- a/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProvider.java
+++ b/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProvider.java
@@ -145,7 +145,7 @@ public class SMPAuthenticationProvider implements AuthenticationProvider {
try {
Optional<DBUser> oUsr = mUserDao.findUserByCertificateId(userToken, true);
- if (!oUsr.isPresent()) {
+ if (!oUsr.isPresent() || !oUsr.get().isActive() ) {
LOG.securityWarn(SMPMessageCode.SEC_USER_NOT_EXISTS, userToken);
//https://www.owasp.org/index.php/Authentication_Cheat_Sheet
// Do not reveal the status of an existing account. Not to use UsernameNotFoundException
diff --git a/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProviderForUI.java b/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProviderForUI.java
index 77a5e8310..0594f2c6e 100644
--- a/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProviderForUI.java
+++ b/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthenticationProviderForUI.java
@@ -91,7 +91,7 @@ public class SMPAuthenticationProviderForUI implements AuthenticationProvider {
DBUser user;
try {
Optional<DBUser> oUsr = mUserDao.findUserByUsername(username);
- if (!oUsr.isPresent()) {
+ if (!oUsr.isPresent() || !oUsr.get().isActive() ){
LOG.debug("User with username does not exists [{}], continue with next authentication provider");
LOG.securityWarn(SMPMessageCode.SEC_INVALID_PASSWORD, "Username does not exits", username);
delayResponse(startTime);
@@ -107,7 +107,6 @@ public class SMPAuthenticationProviderForUI implements AuthenticationProvider {
LOG.securityWarn(SMPMessageCode.SEC_USER_NOT_AUTHENTICATED, username, ExceptionUtils.getRootCause(ex), ex);
delayResponse(startTime);
throw BAD_CREDENTIALS_EXCEPTION;
-
}
validateIfUserAccountIsSuspended(user, startTime);
--
GitLab