<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 31/03/16 18:17, Ariel Carrera wrote:<br>
</div>
<blockquote
cite="mid:CAFzO_6dNAaTKPSN3Nw8P+aw-vSPX-TF=zac9P_HddC_w9e2FrQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Marek, that's makes sense, but, what happen when the user
is known by the attacker? If the brute force check is in the
"isEnabled" method (after password validation), the attacker
guesses the password successfully, the brute force protection
never apply. Please check the code because i am afraid that it
can be a big security risk.</div>
<div>If you wants I can open a new jira issue to discuss about
it.</div>
</div>
</blockquote>
Hmm... I am missing the scenario where exactly is the security risk?
Could you elaborate more? What I can see is:<br>
<br>
- In case that attacker knows both username and password of user,
the security is compromised anyway. In this case, Keycloak don't
have possibility to differ between valid user (who knows his
username and password) and attacker (who knows both username and
password). So in case that user is enabled, both valid user or
attacker are able to login. In case that user is disabled, both
valid user and attacker will receive message "Account is disabled"
(because "validatePassword" check passes, but "enabledUser" check
fails)<br>
<br>
- In case that attacker knows just username, the "validatePassword"
check will fail and will be "logged" in BruteForce too. Attacker
will receive message "Incorrect username or password"<br>
<br>
Marek<br>
<br>
<blockquote
cite="mid:CAFzO_6dNAaTKPSN3Nw8P+aw-vSPX-TF=zac9P_HddC_w9e2FrQ@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-03-31 7:44 GMT-03:00 Marek Posolda
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>AFAIK one of the reasons is security. If an attacker
guesses username "foo", which exists, but not password
of user "foo", you don't want to tell him that he
successfully guessed username. So instead of first
checking that user "foo" is disabled and display the
message "The user account is disabled", you rather check
password first and then display the message "Incorrect
username or password", so attacker don't have a clue if
account really exists or password was incorrect etc.
Also if BruteForce protector is enabled, you want to log
the event as failed login, so we're checking the
password of user.<br>
<br>
Marek
<div>
<div class="h5"><br>
<br>
<br>
On 30/03/16 17:40, Ariel Carrera wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">
<div>
<div>Hi, I am developing a Federation Provider,
and I have a question...</div>
<div><br>
</div>
<div>Why the method () checks if the user "is
enabled" after validate the password instead
of before of the password validation?</div>
</div>
<div><br>
</div>
<div>AbstractUsernameFormAuthenticator.validateUserAndPassword:
line 141/151<br>
</div>
<div>...</div>
<div>
<div> if (invalidUser(context, user)){</div>
<div> return false;</div>
<div> }</div>
<div><br>
</div>
<div><b> if (!validatePassword(context,
user, inputData)){</b></div>
<div><b> return false;</b></div>
<div><b> }</b></div>
<div><br>
</div>
<div><b> if(!enabledUser(context, user)){</b></div>
<div><b> return false;</b></div>
<div><b> }</b></div>
</div>
<div>...</div>
<div><br>
</div>
<div>If the user is disabled... why validate his
password and return a password validation error
message?<br>
</div>
<div><br>
</div>
<div>-- <br>
<div>Ariel Carrera</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">Tatú</div>
</div>
</blockquote>
<br>
</body>
</html>