[keycloak-dev] Re: no empty password in UserFederationProvider
Michael Gerber
gerbermichi at me.com
Fri Nov 20 10:16:26 EST 2015
AbstractUsernameFormAuthenticator.validatePassword
public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) {
List<UserCredentialModel> credentials = new LinkedList<>();
String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
if (password == null || password.isEmpty()) {
invalidPassword(context, user);
return false;
}
credentials.add(UserCredentialModel.password(password));
boolean valid = context.getSession().users().validCredentials(context.getRealm(), user, credentials);
if (!valid) {
invalidPassword(context, user);
return false;
}
return true;
}
I think we can remove the first if (password == null || password.isEmpty())
Am 20. November 2015 um 16:11 schrieb Bill Burke <bburke at redhat.com>:
Point me to the code?
On 11/20/2015 9:04 AM, Michael Gerber wrote:
Hi All,
keycloak does not pass an empty password to the validCredentials method
in the UserFederationProvider class.
Is there a reason for that? I would like to authenticate against an AD
even if the password is empty, otherwise the user won't be blocked after
x attempts.
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151120/fd95d472/attachment.html
More information about the keycloak-dev
mailing list