When an admin logs in to geoserver, it wants to validate you modified the default admin password. Relevant code is in org.geoserver.security.web.SecurityHomePageContentProvider
It does this by sending the default admin user and password trough the default login stack. This has some unfortunate side effects:
*If you have LDAP configured as login method, it does an invalid logon on the LDAP server. If that server has an user ‘admin’, it might trigger defensive measures
*Admin login is slow (5 seconds), as the spring brute force attack prevention kicks in twice:
{{[geoserver.security] - Failed login, user admin from XXXX }}
[geoserver.security] - Brute force attack prevention, delaying login for 1551ms
Steps to reproduce:
- log in with an admin user, when the default password has been changed
- you might need to configure LDAP to see the worst impact.
Some suggestions for resolution:
- Add a flag to disable this feature
- Check the security stores manually for the hashed default password
The relevant part of the stack trace:
org.springframework.security.authentication.BadCredentialsException: Bad credentials
at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:101)
at org.geoserver.security.ldap.GeoserverLdapBindAuthenticator.authenticate(GeoserverLdapBindAuthenticator.java:54)
at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:187)
at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
at org.geoserver.security.DelegatingAuthenticationProvider.doAuthenticate(DelegatingAuthenticationProvider.java:57)
at org.geoserver.security.ldap.LDAPAuthenticationProvider.doAuthenticate(LDAPAuthenticationProvider.java:59)
at org.geoserver.security.DelegatingAuthenticationProvider.authenticate(DelegatingAuthenticationProvider.java:36)
at org.geoserver.security.GeoServerAuthenticationProvider.authenticate(GeoServerAuthenticationProvider.java:54)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175)
at org.geoserver.security.GeoServerSecurityManager.checkForDefaultAdminPassword(GeoServerSecurityManager.java:1374)
at org.geoserver.security.web.SecurityHomePageContentProvider$SecurityWarningsPanel.<init>(SecurityHomePageContentProvider.java:115)
at org.geoserver.security.web.SecurityHomePageContentProvider.getPageBodyComponent(SecurityHomePageContentProvider.java:44)
at org.geoserver.web.GeoServerHomePage$10.populateItem(GeoServerHomePage.java:699)
at org.apache.wicket.markup.html.list.ListView.onPopulate(ListView.java:523)
|