<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/04/16 09:41, Marek Posolda wrote:<br>
</div>
<blockquote cite="mid:56FE2619.20205@redhat.com" type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">On 31/03/16 18:17, Ariel Carrera
wrote:<br>
</div>
<blockquote
cite="mid:CAFzO_6dNAaTKPSN3Nw8P+aw-vSPX-TF=zac9P_HddC_w9e2FrQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Marek, that's makes sense, but, what happen when the user
is known by the attacker? If the brute force check is in the
"isEnabled" method (after password validation), the attacker
guesses the password successfully, the brute force
protection never apply. Please check the code because i am
afraid that it can be a big security risk.</div>
<div>If you wants I can open a new jira issue to discuss about
it.</div>
</div>
</blockquote>
Hmm... I am missing the scenario where exactly is the security
risk? Could you elaborate more? What I can see is:<br>
<br>
- In case that attacker knows both username and password of user,
the security is compromised anyway. In this case, Keycloak don't
have possibility to differ between valid user (who knows his
username and password) and attacker (who knows both username and
password). So in case that user is enabled, both valid user or
attacker are able to login. In case that user is disabled, both
valid user and attacker will receive message "Account is disabled"
(because "validatePassword" check passes, but "enabledUser" check
fails)<br>
<br>
- In case that attacker knows just username, the
"validatePassword" check will fail and will be "logged" in
BruteForce too. Attacker will receive message "Incorrect username
or password"<br>
</blockquote>
Also one more point, if user account is temporarily disabled because
of BruteForce protection, attacker won't recognize it because
message will still be "Incorrect username or password" . He won't
know that he guessed password. We added this recently, see some
related discussion here :
<a class="moz-txt-link-freetext" href="http://lists.jboss.org/pipermail/keycloak-dev/2016-March/006751.html">http://lists.jboss.org/pipermail/keycloak-dev/2016-March/006751.html</a><br>
<br>
Marek<br>
<blockquote cite="mid:56FE2619.20205@redhat.com" type="cite"> <br>
Marek<br>
<br>
<blockquote
cite="mid:CAFzO_6dNAaTKPSN3Nw8P+aw-vSPX-TF=zac9P_HddC_w9e2FrQ@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-03-31 7:44 GMT-03:00 Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>AFAIK one of the reasons is security. If an
attacker guesses username "foo", which exists, but not
password of user "foo", you don't want to tell him
that he successfully guessed username. So instead of
first checking that user "foo" is disabled and display
the message "The user account is disabled", you rather
check password first and then display the message
"Incorrect username or password", so attacker don't
have a clue if account really exists or password was
incorrect etc. Also if BruteForce protector is
enabled, you want to log the event as failed login, so
we're checking the password of user.<br>
<br>
Marek
<div>
<div class="h5"><br>
<br>
<br>
On 30/03/16 17:40, Ariel Carrera wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">
<div>
<div>Hi, I am developing a Federation
Provider, and I have a question...</div>
<div><br>
</div>
<div>Why the method () checks if the user "is
enabled" after validate the password instead
of before of the password validation?</div>
</div>
<div><br>
</div>
<div>AbstractUsernameFormAuthenticator.validateUserAndPassword:
line 141/151<br>
</div>
<div>...</div>
<div>
<div> if (invalidUser(context, user)){</div>
<div> return false;</div>
<div> }</div>
<div><br>
</div>
<div><b> if (!validatePassword(context,
user, inputData)){</b></div>
<div><b> return false;</b></div>
<div><b> }</b></div>
<div><br>
</div>
<div><b> if(!enabledUser(context,
user)){</b></div>
<div><b> return false;</b></div>
<div><b> }</b></div>
</div>
<div>...</div>
<div><br>
</div>
<div>If the user is disabled... why validate his
password and return a password validation
error message?<br>
</div>
<div><br>
</div>
<div>-- <br>
<div>Ariel Carrera</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">Tatú</div>
</div>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>