<div dir="ltr"><div>Marek, that's makes sense, but, what happen when the user is known by the attacker? If the brute force check is in the "isEnabled" method (after password validation), the attacker guesses the password successfully, the brute force protection never apply. Please check the code because i am afraid that it can be a big security risk.</div><div>If you wants I can open a new jira issue to discuss about it.</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-03-31 7:44 GMT-03:00 Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>AFAIK one of the reasons is security.
If an attacker guesses username "foo", which exists, but not
password of user "foo", you don't want to tell him that he
successfully guessed username. So instead of first checking that
user "foo" is disabled and display the message "The user account
is disabled", you rather check password first and then display the
message "Incorrect username or password", so attacker don't have a
clue if account really exists or password was incorrect etc. Also
if BruteForce protector is enabled, you want to log the event as
failed login, so we're checking the password of user.<br>
<br>
Marek<div><div class="h5"><br>
<br>
<br>
On 30/03/16 17:40, Ariel Carrera wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div>
<div>Hi, I am developing a Federation Provider, and I have a
question...</div>
<div><br>
</div>
<div>Why the method () checks if the user "is enabled" after
validate the password instead of before of the password
validation?</div>
</div>
<div><br>
</div>
<div>AbstractUsernameFormAuthenticator.validateUserAndPassword:
line 141/151<br>
</div>
<div>...</div>
<div>
<div> if (invalidUser(context, user)){</div>
<div> return false;</div>
<div> }</div>
<div><br>
</div>
<div><b> if (!validatePassword(context, user,
inputData)){</b></div>
<div><b> return false;</b></div>
<div><b> }</b></div>
<div><br>
</div>
<div><b> if(!enabledUser(context, user)){</b></div>
<div><b> return false;</b></div>
<div><b> }</b></div>
</div>
<div>...</div>
<div><br>
</div>
<div>If the user is disabled... why validate his password and
return a password validation error message?<br>
</div>
<div><br>
</div>
<div>-- <br>
<div>Ariel Carrera</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Tatú</div>
</div>