<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">It should be fine to remove it in
Authenticator, but I am not sure if it addresses your usecase. We
have another similar check in LDAPOperationManager.<span
style="background-color:#e4e4ff;">authenticate :
<a class="moz-txt-link-freetext" href="https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/store/ldap/LDAPOperationManager.java#L330">https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/store/ldap/LDAPOperationManager.java#L330</a>
.<br>
<br>
The reason behind it was another issue related to AD. Basically
all other LDAP servers will always throw an exception if you put
incorrect (or empty) LDAP password. However AD in some cases
doesn't throw an exception in case of empty password . It throws
an exception for invalid password, but not for an empty one. So
it will allow any AD user to login into Keycloak with empty
password... I don't know if there is some switch in AD settings
to disable this behaviour. <br>
<br>
But anyway, we need to have solution, which will work in all
situations. So we either need to add some switch to
configuration (true: allow empty password to be sent to LDAP
authentication, false: not allow it and throw error as we do
now. Default setting will be false). Or if you can figure the
code, which works for all usecases without additional switch, it
will be even better <span class="moz-smiley-s1"><span> :-) </span></span><br>
<br>
Marek</span>
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<br>
<br>
On 20/11/15 16:16, Michael Gerber wrote:<br>
</div>
<blockquote cite="mid:57a63bb6-94b0-44b0-b485-4d563fdbbdd7@me.com"
type="cite">
<div>AbstractUsernameFormAuthenticator.validatePassword</div>
<div><br data-mce-bogus="1">
</div>
<div>
<pre style="background-color: #2b2b2b; color: #a9b7c6; font-family: 'Courier New'; font-size: 9.0pt;" data-mce-style="background-color: #2b2b2b; color: #a9b7c6; font-family: 'Courier New'; font-size: 9.0pt;"><span style="color: #cc7832;" data-mce-style="color: #cc7832;">public boolean </span><span style="background-color: #344134;" data-mce-style="background-color: #344134;">validatePassword</span>(AuthenticationFlowContext context<span style="color: #cc7832;" data-mce-style="color: #cc7832;">, </span>UserModel user<span style="color: #cc7832;" data-mce-style="color: #cc7832;">, </span>MultivaluedMap<String<span style="color: #cc7832;" data-mce-style="color: #cc7832;">, </span>String> inputData) {
List<UserCredentialModel> credentials = <span style="color: #cc7832;" data-mce-style="color: #cc7832;">new </span>LinkedList<>()<span style="color: #cc7832;" data-mce-style="color: #cc7832;">;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;"> </span>String password = inputData.getFirst(CredentialRepresentation.<span style="color: #9876aa; font-style: italic;" data-mce-style="color: #9876aa; font-style: italic;">PASSWORD</span>)<span style="color: #cc7832;" data-mce-style="color: #cc7832;">;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;"> if </span>(password == <span style="color: #cc7832;" data-mce-style="color: #cc7832;">null </span>|| password.isEmpty()) {
invalidPassword(context<span style="color: #cc7832;" data-mce-style="color: #cc7832;">, </span>user)<span style="color: #cc7832;" data-mce-style="color: #cc7832;">;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;"> return false;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;"> </span>}
credentials.add(UserCredentialModel.<span style="font-style: italic;" data-mce-style="font-style: italic;">password</span>(password))<span style="color: #cc7832;" data-mce-style="color: #cc7832;">;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;"> boolean </span>valid = context.getSession().users().validCredentials(context.getRealm()<span style="color: #cc7832;" data-mce-style="color: #cc7832;">, </span>user<span style="color: #cc7832;" data-mce-style="color: #cc7832;">, </span>credentials)<span style="color: #cc7832;" data-mce-style="color: #cc7832;">;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;"> if </span>(!valid) {
invalidPassword(context<span style="color: #cc7832;" data-mce-style="color: #cc7832;">, </span>user)<span style="color: #cc7832;" data-mce-style="color: #cc7832;">;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;"> return false;
</span><span style="color: #cc7832;" data-mce-style="color: #cc7832;"> </span>}
<span style="color: #cc7832;" data-mce-style="color: #cc7832;">return true;
</span>}</pre>
</div>
<div>I think we can remove the first if (password == null ||
password.isEmpty())</div>
<div><br>
Am 20. November 2015 um 16:11 schrieb Bill Burke
<a class="moz-txt-link-rfc2396E" href="mailto:bburke@redhat.com"><bburke@redhat.com></a>:<br>
<br>
</div>
<div>
<blockquote type="cite">
<div class="msg-quote">
<div class="_stretch"><span class="body-text-content">Point
me to the code?<br>
<br>
On 11/20/2015 9:04 AM, Michael Gerber wrote:<br>
<blockquote type="cite" class="quoted-plain-text">Hi
All,</blockquote>
<blockquote type="cite" class="quoted-plain-text"><br>
</blockquote>
<blockquote type="cite" class="quoted-plain-text">keycloak
does not pass an empty password to the
validCredentials method</blockquote>
<blockquote type="cite" class="quoted-plain-text">in the
UserFederationProvider class.</blockquote>
<blockquote type="cite" class="quoted-plain-text">Is
there a reason for that? I would like to authenticate
against an AD</blockquote>
<blockquote type="cite" class="quoted-plain-text">even
if the password is empty, otherwise the user won't be
blocked after</blockquote>
<blockquote type="cite" class="quoted-plain-text">x
attempts.</blockquote>
<blockquote type="cite" class="quoted-plain-text"><br>
</blockquote>
<blockquote type="cite" class="quoted-plain-text">Michael</blockquote>
<blockquote type="cite" class="quoted-plain-text"><br>
</blockquote>
<blockquote type="cite" class="quoted-plain-text"><br>
</blockquote>
<blockquote type="cite" class="quoted-plain-text">_______________________________________________</blockquote>
<blockquote type="cite" class="quoted-plain-text">keycloak-dev
mailing list</blockquote>
<blockquote type="cite" class="quoted-plain-text"><a
moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
data-mce-href="mailto:keycloak-dev@lists.jboss.org"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></a></blockquote>
<blockquote type="cite" class="quoted-plain-text"><a
moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></a></blockquote>
<blockquote type="cite" class="quoted-plain-text"><br>
</blockquote>
<br>
-- <br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com"
data-mce-href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</span></div>
</div>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>