LUI-83 : Displaying meaningful info when user is locked out

Displaying meaningful infowen user is locked made the variable local displaying use ful info when user is locked out LUI-83 : modified the method to use global property LUI-83 : modified the method to use global property
openmrs · Feb 1, 2019 · b2edebf · b2edebf
1 parent 521d14f
commit b2edebf
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 4 deletions.
diff --git a/api/src/main/resources/messages.properties b/api/src/main/resources/messages.properties
@@ -10,3 +10,5 @@ legacyui.manageuser.noProviderIdentifier=No Identifier Specified
 ${project.parent.artifactId}.Location.purgeLocation=Permanently Delete Location
 ${project.parent.artifactId}.Location.confirmDelete=Are you sure you want to delete this Location? It will be permanently removed from the system.
 ${project.parent.artifactId}.Location.purgedSuccessfully=Location deleted successfully
+
+legacyui.lockedOutMessage=You have attempted to log in too many times and have been Locked out. Please try again later in 5 minutes
diff --git a/omod/src/main/java/org/openmrs/web/servlet/LoginServlet.java b/omod/src/main/java/org/openmrs/web/servlet/LoginServlet.java
@@ -49,8 +49,11 @@ public class LoginServlet extends HttpServlet {
 
 	public static final long serialVersionUID = 134231247523L;
 
+	public static final String GP_MAXIMUM_ALLOWED_LOGINS = "security.allowedFailedLoginsBeforeLockout";
+
 	protected static final Log log = LogFactory.getLog(LoginServlet.class);
 
+
 	/**
 	 * The mapping from user's IP address to the number of attempts at logging in from that IP
 	 */
@@ -65,18 +68,19 @@ public class LoginServlet extends HttpServlet {
 	 * @see javax.servlet.http.HttpServlet#doPost(javax.servlet.http.HttpServletRequest,
 	 *      javax.servlet.http.HttpServletResponse)
 	 */
+
 	@Override
 	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
 		HttpSession httpSession = request.getSession();
-
+		Integer loginAttemptsByUser;
 		String ipAddress = request.getRemoteAddr();
 		Integer loginAttempts = loginAttemptsByIP.get(ipAddress);
 		if (loginAttempts == null) {
 			loginAttempts = 1;
 		}
 
 		loginAttempts++;
-
+		loginAttemptsByUser = loginAttempts - 1;
 		boolean lockedOut = false;
 		// look up the allowed # of attempts per IP
 		Integer allowedLockoutAttempts = 100;
@@ -178,7 +182,18 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 			catch (ContextAuthenticationException e) {
 				// set the error message for the user telling them
 				// to try again
-				httpSession.setAttribute(WebConstants.OPENMRS_ERROR_ATTR, "auth.password.invalid");
+
+				String maximumAttempts = Context.getAdministrationService().getGlobalProperty(GP_MAXIMUM_ALLOWED_LOGINS, "7");
+				Integer maximumAlowedAttempts = Integer.valueOf(maximumAttempts);
+
+					if (loginAttemptsByUser <= maximumAlowedAttempts) {				
+						httpSession.setAttribute(WebConstants.OPENMRS_ERROR_ATTR, "auth.password.invalid");
+
+					}
+
+					if (loginAttemptsByUser > maximumAlowedAttempts) {
+						httpSession.setAttribute(WebConstants.OPENMRS_ERROR_ATTR, "legacyui.lockedOutMessage");
+					}
 			}
 
 		}

diff --git a/omod/src/test/java/org/openmrs/web/servlet/LoginServletTest.java b/omod/src/test/java/org/openmrs/web/servlet/LoginServletTest.java
@@ -97,7 +97,7 @@ public void shouldLockUserOutAfterFiveFailedLoginAttempts() throws Exception {
 			loginServlet.service(request, response);
 		}
 
-		// now attempting to log in the fifth time should fail 
+		// now attempting to log in the fifthth time should fail 
 		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/loginServlet");
 		request.setContextPath("/somecontextpath");
 		MockHttpServletResponse response = new MockHttpServletResponse();