<div dir="ltr">i think we will go for Infinispan or jpa for roadmap reasons !<div><br></div><div>how would we access the infinispan data ? </div><div><br></div><div>are there any documents on this integration aspect within keycloak ?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 26, 2014 at 11:02 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
----- Original Message -----<br>
> From: "Alexander Chriztopher" <<a href="mailto:alexander.chriztopher@gmail.com">alexander.chriztopher@gmail.com</a>><br>
</span><span class="">> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> Cc: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>>, <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> Sent: Wednesday, 26 November, 2014 10:51:11 AM<br>
> Subject: Re: [keycloak-user] Brut force attack questions<br>
><br>
</span><span class="">> nice !<br>
><br>
> is there a way to play with this via rest -regardless to wether am jpa,<br>
> infinispan or in-memory ?<br>
<br>
</span>Afraid not, that's what we'll need to add. Not sure when we get time though. If you're up for it we would be more than happy to accept a contribution, I can give you some pointers on how to do it. Alternatively, you can create your own app that uses JAX-RS and either JPA or the Infinispan subsystem to remove login-failure entries.<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
> On Wed, Nov 26, 2014 at 10:39 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>> wrote:<br>
><br>
> > By default user sessions (and login failures) are stored in-memory not in<br>
> > the database. Unless you specify JPA for the userSession provider those<br>
> > tables will stay empty.<br>
> ><br>
> > You could either do what you're trying to do, which should work if you use<br>
> > the jpa userSession provider. The other if you're worried about the<br>
> > performance of storing user sessions in the db is to use the Infinispan<br>
> > provider, then you can manually delete login failures from the userSession<br>
> > cache from another application.<br>
> ><br>
> > We should add a mechanism to both view and remove login-failure entries to<br>
> > the admin console though.<br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Alexander Chriztopher" <<a href="mailto:alexander.chriztopher@gmail.com">alexander.chriztopher@gmail.com</a>><br>
> > > To: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>>, <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > Sent: Wednesday, 26 November, 2014 9:45:42 AM<br>
> > > Subject: Re: [keycloak-user] Brut force attack questions<br>
> > ><br>
> > > Am to find a workaround in order to be able to unlock a user account. So<br>
> > far<br>
> > > i have tried to disable then enable the user account but this does not do<br>
> > > the trick apparently.<br>
> > ><br>
> > > I have also tried to tweek the database but it looks like the lock<br>
> > > information is not stored in the db even though there is the table :<br>
> > > USERNAME_LOGIN_FAILURE. Is it normal that this table stays empty even on<br>
> > > login failures ?<br>
> > ><br>
> > > Do you think of any other good workaround ?<br>
> > ><br>
> > ><br>
> > > On Tue, Nov 25, 2014 at 11:03 PM, Alexander Chriztopher <<br>
> > > <a href="mailto:alexander.chriztopher@gmail.com">alexander.chriztopher@gmail.com</a> > wrote:<br>
> > ><br>
> > ><br>
> > > Nice ! Again, thank you.<br>
> > ><br>
> > ><br>
> > ><br>
> > > > On 25 Nov 2014, at 21:39, Bill Burke < <a href="mailto:bburke@redhat.com">bburke@redhat.com</a> > wrote:<br>
> > > ><br>
> > > ><br>
> > > ><br>
> > > >> On 11/25/2014 3:27 PM, Alexander Chriztopher wrote:<br>
> > > >> Hi Bill and thanks.<br>
> > > >><br>
> > > >> Do you think we will be able to have this within a short period of<br>
> > time<br>
> > > >> (4-6 weeks) or is it going to be planned for the long run ?<br>
> > > ><br>
> > > > Not sure on the priority of this. We have face to face meetings in a<br>
> > couple<br>
> > > > of weeks to discuss priority, then of course, its christmas vacation.<br>
> > > ><br>
> > > >> When is the value of max wait used as there is already a wait<br>
> > increment<br>
> > > >> out there ?<br>
> > > ><br>
> > > > Correct. It will increase the wait after each failure until the max is<br>
> > hit.<br>
> > > ><br>
> > > >><br>
> > > >><br>
> > > >>> On 25 Nov 2014, at 20:05, Bill Burke < <a href="mailto:bburke@redhat.com">bburke@redhat.com</a> > wrote:<br>
> > > >>><br>
> > > >>><br>
> > > >>><br>
> > > >>>> On 11/25/2014 12:32 PM, Alexander Chriztopher wrote:<br>
> > > >>>> Hi,<br>
> > > >>>><br>
> > > >>>> I have a some question with regards to Brut Force Attack Protection<br>
> > :<br>
> > > >>>><br>
> > > >>>> # 1 / When brut force attack protection is enabled is there a way to<br>
> > > >>>> know when a user account is locked ? I am thinking about the admin<br>
> > > >>>> console.<br>
> > > >>>><br>
> > > >>>> # 2 / When a user account is locked is there a way to unlock it<br>
> > from the<br>
> > > >>>> admin console ?<br>
> > > >>><br>
> > > >>> Unfortunately no for the above. I'll log a jira.<br>
> > > >>><br>
> > > >>>> # 3 / What is the difference between wait increment (When failure<br>
> > > >>>> threshold has been met, how much time should the user be locked<br>
> > out?)<br>
> > > >>>> and max wait (Max time a user will be locked out.).<br>
> > > >>><br>
> > > >>> correct on both.<br>
> > > >>><br>
> > > >>><br>
> > > >>> --<br>
> > > >>> Bill Burke<br>
> > > >>> JBoss, a division of Red Hat<br>
> > > >>> <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
> > > >>> _______________________________________________<br>
> > > >>> keycloak-user mailing list<br>
> > > >>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > >>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> > > ><br>
> > > > --<br>
> > > > Bill Burke<br>
> > > > JBoss, a division of Red Hat<br>
> > > > <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
> > ><br>
> > ><br>
> > > _______________________________________________<br>
> > > keycloak-user mailing list<br>
> > > <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> ><br>
><br>
</div></div></blockquote></div><br></div>