[Geoserver-devel] [JIRA] (GEOS-10806) slow login and accidental ldap hacking caused by default password test

Hans Yperman created an issue

GeoServer / BugGEOS-10806

slow login and accidental ldap hacking caused by default password test

Issue Type:

BugBug

Affects Versions:

2.22.0

Assignee:

Unassigned

Components:

Security

Created:

21/Dec/22 5:23 PM

Priority:

MediumMedium

Reporter:

Hans Yperman

When an admin logs in to geoserver, it wants to validate you modified the default admin password. Relevant code is in org.geoserver.security.web.SecurityHomePageContentProvider

It does this by sending the default admin user and password trough the default login stack. This has some unfortunate side effects:

*If you have LDAP configured as login method, it does an invalid logon on the LDAP server. If that server has an user ‘admin’, it might trigger defensive measures

*Admin login is slow (5 seconds), as the spring brute force attack prevention kicks in twice:

{{[geoserver.security] - Failed login, user admin from XXXX }}
[geoserver.security] - Brute force attack prevention, delaying login for 1551ms

Steps to reproduce:

  • log in with an admin user, when the default password has been changed
  • you might need to configure LDAP to see the worst impact.

Some suggestions for resolution:

  • Add a flag to disable this feature
  • Check the security stores manually for the hashed default password

The relevant part of the stack trace:

org.springframework.security.authentication.BadCredentialsException: Bad credentials                
        at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:101)
        at org.geoserver.security.ldap.GeoserverLdapBindAuthenticator.authenticate(GeoserverLdapBindAuthenticator.java:54)
        at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:187)
        at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
        at org.geoserver.security.DelegatingAuthenticationProvider.doAuthenticate(DelegatingAuthenticationProvider.java:57)
        at org.geoserver.security.ldap.LDAPAuthenticationProvider.doAuthenticate(LDAPAuthenticationProvider.java:59)
        at org.geoserver.security.DelegatingAuthenticationProvider.authenticate(DelegatingAuthenticationProvider.java:36)                                                                                                          
        at org.geoserver.security.GeoServerAuthenticationProvider.authenticate(GeoServerAuthenticationProvider.java:54)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175)
        at org.geoserver.security.GeoServerSecurityManager.checkForDefaultAdminPassword(GeoServerSecurityManager.java:1374)
        at org.geoserver.security.web.SecurityHomePageContentProvider$SecurityWarningsPanel.<init>(SecurityHomePageContentProvider.java:115)
        at org.geoserver.security.web.SecurityHomePageContentProvider.getPageBodyComponent(SecurityHomePageContentProvider.java:44)
        at org.geoserver.web.GeoServerHomePage$10.populateItem(GeoServerHomePage.java:699)          
        at org.apache.wicket.markup.html.list.ListView.onPopulate(ListView.java:523)                                                                                                                                               

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100213-sha1:d1b903b)

Atlassian logo