[WFLY-20765] [CVE-2025-23368] Documentation for the new WildFly Elytron Brute Force Protection implementation.#19582
Conversation
…ection utility. This is being enabled by default but can be customised by administrators.
Also add mention of the caching, distributed, and failover realms to the documentation.
|
Perhaps @skyllarr can review? |
| Repeated attempts after this point will restart the period the identity is locked | ||
| for. | ||
|
|
||
| NOTE: For the realms that delegate to other realms such as the `caching-realm`, the |
There was a problem hiding this comment.
I suggest to add also a note about the aggregate-realm:
The brute force protection is not applied directly to the aggregate-realm as this maintains a 1:1 mapping to an authentication-realm which will have it's own brute force protection applied.
… for failed authentication tracking.
| before an identity should be temporarily unavailable. [Default: 10] | ||
| * lockout-interval - The time in minutes the identity should be unavailable for | ||
| once the maximum number of attempts is exceeded. [Default: 15] | ||
| * session-timeout - After the most recent failed authentication, how long in |
There was a problem hiding this comment.
I'm definitely not suggesting changing this here, but when it comes time for the proper management API I suggest reconsidering the term 'session' in the user-visible API. It's an overloaded term and what it represents in this context doesn't really align with what people might guess it means.
Maybe 'tracking-timeout' or 'tracker-timeout'?
| * lockout-interval - The time in minutes the identity should be unavailable for | ||
| once the maximum number of attempts is exceeded. [Default: 15] | ||
| * session-timeout - After the most recent failed authentication, how long in | ||
| minutes to keep the session tracking the identity alive. [Default: 30] |
There was a problem hiding this comment.
This shouldn't block this but another suggestion for the future is to add a sentence describing what happens after the timeout.
Maybe
"how long in minutes to keep tracking failed authentication attempts for the identity. If tracking for an identity has ended and a new failed authentication attempt occurs it will again be tracked, but the tracking will treat the attempt as if that was the first failed attempt."
| once the maximum number of attempts is exceeded. [Default: 15] | ||
| * session-timeout - After the most recent failed authentication, how long in | ||
| minutes to keep the session tracking the identity alive. [Default: 30] | ||
| * max-cached-sessions - The maximum number of sessions to cache for tracking failed |
There was a problem hiding this comment.
Similar point about 'session'. Maybe 'identities' here?
Again, not now; this is for the future.
bstansberry
left a comment
There was a problem hiding this comment.
I think the changes noted below should happen for WildFly 40 but I'm not asking that they block any work related to this for 39.0.1. If it makes things easier I'm fine with this being merged as is with a follow-up PR to address these.
docs/src/main/asciidoc/_elytron/components/Brute_Force_Detection.adoc
Outdated
Show resolved
Hide resolved
docs/src/main/asciidoc/_elytron/components/Brute_Force_Detection.adoc
Outdated
Show resolved
Hide resolved
docs/src/main/asciidoc/_elytron/components/Brute_Force_Detection.adoc
Outdated
Show resolved
Hide resolved
docs/src/main/asciidoc/_elytron/components/Brute_Force_Detection.adoc
Outdated
Show resolved
Hide resolved
docs/src/main/asciidoc/_elytron/components/Brute_Force_Detection.adoc
Outdated
Show resolved
Hide resolved
docs/src/main/asciidoc/_elytron/components/Brute_Force_Detection.adoc
Outdated
Show resolved
Hide resolved
docs/src/main/asciidoc/_elytron/components/Brute_Force_Detection.adoc
Outdated
Show resolved
Hide resolved
docs/src/main/asciidoc/_elytron/components/Brute_Force_Detection.adoc
Outdated
Show resolved
Hide resolved
docs/src/main/asciidoc/_elytron/components/Brute_Force_Detection.adoc
Outdated
Show resolved
Hide resolved
docs/src/main/asciidoc/_elytron/components/Brute_Force_Detection.adoc
Outdated
Show resolved
Hide resolved
| ignored. | ||
|
|
||
| Where an event is received indicating a failed authentication attempt this utility | ||
| will first check if a session has been established for the specific identity to |
There was a problem hiding this comment.
Note that I made comments about 'session' above with respect to the management API. Here I think the term is fine as this is a complex description of behavior and a reader can reasonably be expected to understand what is meant from the overall context. For the management API attribute users are likely to have little or no context.
bstansberry
left a comment
There was a problem hiding this comment.
I think the changes noted below should happen for WildFly 40 but I'm not asking that they block any work related to this for 39.0.1. If it makes things easier I'm fine with this being merged as is with a follow-up PR to address these.
To avoid confusion I've changed my review to 'Approve'. My comment ^^^ is way too small in the GH UI compared to the all the detail comments and the red UI widget next to my name.
|
I just killed a bunch of ci.wildfly.org jobs on this as those tests are irrelevant to a docs-only change. I expect they will get requeued, but that's ok; they will then be at the end of the queue. Currently we have a massive queue since the CI server was down for a few days. |
rhusar
left a comment
There was a problem hiding this comment.
LGTM
Core upgrade is in, approvals are in, CI not needed, and follow-up Jira created and I really want this to get on par with 39.x and drop it off my items.
|
Thanks @darranl @OndrejKotek @skyllarr @bstansberry ! |
|
I have created a follow-up Jira with un-address comments as: https://issues.redhat.com/browse/WFLY-21474 - update as you see fit. |
Requires: wildfly/wildfly-core#6634
https://issues.redhat.com/browse/WFLY-20765