http://bugzilla.novell.com/show_bug.cgi?id=550377 User kkaempf@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=550377#c1 Klaus Kämpf changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High Found By|--- |Development AssignedTo|kkaempf@novell.com |jreidinger@novell.com Target Milestone|--- |RC 1 --- Comment #1 from Klaus Kämpf 2009-11-02 02:27:26 MST --- I'd like to see this fixed for RC1 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=550377 User jreidinger@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=550377#c3 Josef Reidinger changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |kkaempf@novell.com --- Comment #3 from Josef Reidinger 2009-11-02 08:45:07 MST --- I add implementation to yast2-webservice. Klaus - current mine implementation has few limitation which mention Karel. At first it is singleton and not store problems to DB, so after restart it is not persistent (always unblocked after restart). Second one is that remember ip or user, so after n unsuccessful attempts it block rest-service for all users (which is advantage if someone use brute force attack from zombie cluster, but problem if blocked someones access). Is this limitation problem? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=550377 User jreidinger@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=550377#c5 --- Comment #5 from Josef Reidinger 2009-11-03 01:21:04 MST --- security team - JFYI here is implementation http://git.opensuse.org/?p=projects/yast/rest-service.git;a=commitdiff;h=4f7... and here is also logging failed attempts (if it contain enough info - remote ip and user on which someone try to login ) http://git.opensuse.org/?p=projects/yast/rest-service.git;a=commitdiff;h=f5d... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=550377 User thomas@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=550377#c7 --- Comment #7 from Thomas Biege 2009-11-03 05:17:22 MST --- (In reply to comment #3) ..

Second one is that remember ip or user, so after n unsuccessful attempts it block rest-service for all users (which is advantage if someone use brute force attack from zombie cluster, but problem if blocked someones access). Is this limitation problem?

Use "user" only, please. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=550377 User jreidinger@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=550377#c9 Josef Reidinger changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #9 from Josef Reidinger 2009-11-03 06:45:13 MST --- Implemented. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.