diff --git a/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/AbstractUserWorkflowAdapter.java b/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/AbstractUserWorkflowAdapter.java index a114a935bc..b399618f6f 100644 --- a/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/AbstractUserWorkflowAdapter.java +++ b/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/AbstractUserWorkflowAdapter.java @@ -211,7 +211,7 @@ protected Pair enforcePolicies( }); suspend |= user.getFailedLogins() != null && policy.getMaxAuthenticationAttempts() > 0 - && user.getFailedLogins() > policy.getMaxAuthenticationAttempts() && !user.isSuspended(); + && user.getFailedLogins() >= policy.getMaxAuthenticationAttempts() && !user.isSuspended(); propagateSuspension |= policy.isPropagateSuspension(); } } @@ -380,10 +380,7 @@ public Pair, Boolean> suspendOnAuthFailures( Pair enforce = enforcePolicies(user, true, null); if (enforce.getKey()) { - LOG.debug("User {} {} is over the max failed logins", user.getKey(), user.getUsername()); - - // reduce failed logins number to avoid multiple request - user.setFailedLogins(user.getFailedLogins() - 1); + LOG.debug("User {} {} reached the max failed logins", user.getKey(), user.getUsername()); // set suspended flag user.setSuspended(Boolean.TRUE); diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/AuthenticationITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/AuthenticationITCase.java index 9f61875091..81cb15fad2 100644 --- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/AuthenticationITCase.java +++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/AuthenticationITCase.java @@ -20,6 +20,7 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertTrue; import static org.junit.jupiter.api.Assertions.fail; @@ -333,13 +334,7 @@ public void checkUserSuspension() { assertEquals(0, USER_SERVICE.read(userKey).getFailedLogins()); - // authentications failed ... - try { - CLIENT_FACTORY.create(userTO.getUsername(), "wrongpwd1"); - fail("This should not happen"); - } catch (NotAuthorizedException e) { - assertNotNull(e); - } + // /odd has an account policy with maxAuthenticationAttempts = 3. try { CLIENT_FACTORY.create(userTO.getUsername(), "wrongpwd1"); fail("This should not happen"); @@ -353,9 +348,10 @@ public void checkUserSuspension() { assertNotNull(e); } - assertEquals(3, USER_SERVICE.read(userKey).getFailedLogins()); + userTO = USER_SERVICE.read(userTO.getKey()); + assertEquals(2, userTO.getFailedLogins().intValue()); + assertNotEquals("suspended", userTO.getStatus()); - // last authentication before suspension try { CLIENT_FACTORY.create(userTO.getUsername(), "wrongpwd1"); fail("This should not happen");