@Override public SecurityConfig clone(boolean allowEnvParametrization) { BruteForcePreventionConfig clone = new BruteForcePreventionConfig(this); // allow parametrization of the whitelisted masks final GeoServerEnvironment gsEnvironment = GeoServerExtensions.bean(GeoServerEnvironment.class); if (clone != null) { if (allowEnvParametrization && gsEnvironment != null && GeoServerEnvironment.ALLOW_ENV_PARAMETRIZATION) { List<String> resolvedMasks = new ArrayList<>(); for (String mask : whitelistedMasks) { String resolved = (String) gsEnvironment.resolveValue(mask); if (resolved != null) { Arrays.stream(resolved.split("\\s*,\\s*")) .filter(s -> s != null && !s.trim().isEmpty()) .forEach(s -> resolvedMasks.add(s)); } } clone.setWhitelistedMasks(resolvedMasks); } } return clone; } }
private long computeDelay(BruteForcePreventionConfig config) { long min = config.getMinDelaySeconds() * 1000; long max = config.getMaxDelaySeconds() * 1000; return min + (long) ((max - min) * Math.random()); }
private boolean requestAddressInWhiteList( HttpServletRequest request, BruteForcePreventionConfig config) { // is there a white list? if (config.getWhitelistAddressMatchers() == null) { return false; } return config.getWhitelistAddressMatchers() .stream() .anyMatch(matcher -> matcher.matches(request)); }
@Before public void resetBruteForceAttackConfig() throws Exception { GeoServerSecurityManager manager = applicationContext.getBean(GeoServerSecurityManager.class); final SecurityManagerConfig securityConfig = manager.getSecurityConfig(); BruteForcePreventionConfig bruteForceConfig = securityConfig.getBruteForcePrevention(); bruteForceConfig.setEnabled(true); // one second fixed delay bruteForceConfig.setMinDelaySeconds(1); bruteForceConfig.setMaxDelaySeconds(1); bruteForceConfig.setMaxBlockedThreads(100); bruteForceConfig.setWhitelistedMasks(Collections.emptyList()); manager.saveSecurityConfig(securityConfig); }
if (!config.isEnabled()) { return; || event instanceof AuthenticationFailureProviderNotFoundEvent) { int maxBlockedThreads = config.getMaxBlockedThreads(); if (maxBlockedThreads > 0 && delayedUsers.size() > maxBlockedThreads) { throw new MaxBlockedThreadsException(1);
private Object readResolve() { authProviderNames = authProviderNames != null ? authProviderNames : new ArrayList<String>(); filterChain = filterChain != null ? filterChain : new GeoServerSecurityFilterChain(); rememberMeService = rememberMeService != null ? rememberMeService : new RememberMeServicesConfig(); bruteForcePrevention = bruteForcePrevention != null ? bruteForcePrevention : new BruteForcePreventionConfig(); return this; }
public List<IpAddressMatcher> getWhitelistAddressMatchers() { try { if (this.getWhitelistedMasks() != null && this.whitelistedAddressMatchers == null) { this.whitelistedAddressMatchers = whitelistedMasks .stream() .map(mask -> new IpAddressMatcher(mask)) .collect(Collectors.toList()); } } catch (Exception e) { // an error here and no request can be made, best be cautious (yes, it actually // happened to me) LOGGER.log(Level.SEVERE, "Invalid netmask configuration, will skip it", e); } return this.whitelistedAddressMatchers; }
@Test public void testTooManyBlockedThreads() throws Exception { // configure it to allow only one thread in the wait list GeoServerSecurityManager manager = applicationContext.getBean(GeoServerSecurityManager.class); final SecurityManagerConfig securityConfig = manager.getSecurityConfig(); BruteForcePreventionConfig bruteForceConfig = securityConfig.getBruteForcePrevention(); bruteForceConfig.setMaxBlockedThreads(1); manager.saveSecurityConfig(securityConfig); // hit with many different users testParallelLogin("Too many failed logins waiting on delay", i -> "foo" + i); }
public SecurityManagerConfig(SecurityManagerConfig config) { this.roleServiceName = config.getRoleServiceName(); this.authProviderNames = config.getAuthProviderNames() != null ? new ArrayList<String>(config.getAuthProviderNames()) : null; this.filterChain = config.getFilterChain() != null ? new GeoServerSecurityFilterChain(config.getFilterChain()) : null; this.rememberMeService = new RememberMeServicesConfig(config.getRememberMeService()); this.bruteForcePrevention = new BruteForcePreventionConfig(config.getBruteForcePrevention()); this.encryptingUrlParams = config.isEncryptingUrlParams(); this.configPasswordEncrypterName = config.getConfigPasswordEncrypterName(); // this.masterPasswordURL=config.getMasterPasswordURL(); // this.masterPasswordStrategy=config.getMasterPasswordStrategy(); }