<div dir="ltr">thank you for this ! i'll have a look at infinispan ..</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 26, 2014 at 12:01 PM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
----- Original Message -----<br>
> From: "Alexander Chriztopher" <<a href="mailto:alexander.chriztopher@gmail.com">alexander.chriztopher@gmail.com</a>><br>
> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> Cc: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>>, <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
</span><span class="">> Sent: Wednesday, 26 November, 2014 11:46:21 AM<br>
> Subject: Re: [keycloak-user] Brut force attack questions<br>
><br>
</span><span class="">> i think we will go for Infinispan or jpa for roadmap reasons !<br>
><br>
> how would we access the infinispan data ?<br>
<br>
</span>You'll need to use 1.1.0.Beta1 as it's not available in 1.0.x. Have a look at <a href="http://docs.jboss.org/keycloak/docs/1.1.0.Beta1/userguide/html/clustering.html#d4e1662" target="_blank">http://docs.jboss.org/keycloak/docs/1.1.0.Beta1/userguide/html/clustering.html#d4e1662</a><br>
<br>
You can inject the cache into your own application with:<br>
<br>
@Resource(lookup="java:jboss/infinispan/Keycloak")<br>
private CacheContainer container;<br>
<br>
You'll want to remove/change entries in the loginFailures cache. Look at the source for model/sessions-infinispan for more info on how the Infinispan userSession provider works.<br>
<br>
Have a look at <a href="http://www.mastertheboss.com/jboss-frameworks/infinispan/develop-a-clustered-application-with-infinispan-data-grid" target="_blank">www.mastertheboss.com/jboss-frameworks/infinispan/develop-a-clustered-application-with-infinispan-data-grid</a> for more info on using the Infinispan subsystem from your app.<br>
<span class=""><br>
><br>
> are there any documents on this integration aspect within keycloak ?<br>
<br>
</span>What integration aspect are you referring to? The work around proposed with accessing JPA or Infinispan directly is not recommended so won't be documented.<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
> On Wed, Nov 26, 2014 at 11:02 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>> wrote:<br>
><br>
> ><br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Alexander Chriztopher" <<a href="mailto:alexander.chriztopher@gmail.com">alexander.chriztopher@gmail.com</a>><br>
> > > To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > > Cc: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>>, <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > Sent: Wednesday, 26 November, 2014 10:51:11 AM<br>
> > > Subject: Re: [keycloak-user] Brut force attack questions<br>
> > ><br>
> > > nice !<br>
> > ><br>
> > > is there a way to play with this via rest -regardless to wether am jpa,<br>
> > > infinispan or in-memory ?<br>
> ><br>
> > Afraid not, that's what we'll need to add. Not sure when we get time<br>
> > though. If you're up for it we would be more than happy to accept a<br>
> > contribution, I can give you some pointers on how to do it. Alternatively,<br>
> > you can create your own app that uses JAX-RS and either JPA or the<br>
> > Infinispan subsystem to remove login-failure entries.<br>
> ><br>
> > ><br>
> > > On Wed, Nov 26, 2014 at 10:39 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > wrote:<br>
> > ><br>
> > > > By default user sessions (and login failures) are stored in-memory not<br>
> > in<br>
> > > > the database. Unless you specify JPA for the userSession provider those<br>
> > > > tables will stay empty.<br>
> > > ><br>
> > > > You could either do what you're trying to do, which should work if you<br>
> > use<br>
> > > > the jpa userSession provider. The other if you're worried about the<br>
> > > > performance of storing user sessions in the db is to use the Infinispan<br>
> > > > provider, then you can manually delete login failures from the<br>
> > userSession<br>
> > > > cache from another application.<br>
> > > ><br>
> > > > We should add a mechanism to both view and remove login-failure<br>
> > entries to<br>
> > > > the admin console though.<br>
> > > ><br>
> > > > ----- Original Message -----<br>
> > > > > From: "Alexander Chriztopher" <<a href="mailto:alexander.chriztopher@gmail.com">alexander.chriztopher@gmail.com</a>><br>
> > > > > To: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>>, <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > Sent: Wednesday, 26 November, 2014 9:45:42 AM<br>
> > > > > Subject: Re: [keycloak-user] Brut force attack questions<br>
> > > > ><br>
> > > > > Am to find a workaround in order to be able to unlock a user<br>
> > account. So<br>
> > > > far<br>
> > > > > i have tried to disable then enable the user account but this does<br>
> > not do<br>
> > > > > the trick apparently.<br>
> > > > ><br>
> > > > > I have also tried to tweek the database but it looks like the lock<br>
> > > > > information is not stored in the db even though there is the table :<br>
> > > > > USERNAME_LOGIN_FAILURE. Is it normal that this table stays empty<br>
> > even on<br>
> > > > > login failures ?<br>
> > > > ><br>
> > > > > Do you think of any other good workaround ?<br>
> > > > ><br>
> > > > ><br>
> > > > > On Tue, Nov 25, 2014 at 11:03 PM, Alexander Chriztopher <<br>
> > > > > <a href="mailto:alexander.chriztopher@gmail.com">alexander.chriztopher@gmail.com</a> > wrote:<br>
> > > > ><br>
> > > > ><br>
> > > > > Nice ! Again, thank you.<br>
> > > > ><br>
> > > > ><br>
> > > > ><br>
> > > > > > On 25 Nov 2014, at 21:39, Bill Burke < <a href="mailto:bburke@redhat.com">bburke@redhat.com</a> > wrote:<br>
> > > > > ><br>
> > > > > ><br>
> > > > > ><br>
> > > > > >> On 11/25/2014 3:27 PM, Alexander Chriztopher wrote:<br>
> > > > > >> Hi Bill and thanks.<br>
> > > > > >><br>
> > > > > >> Do you think we will be able to have this within a short period of<br>
> > > > time<br>
> > > > > >> (4-6 weeks) or is it going to be planned for the long run ?<br>
> > > > > ><br>
> > > > > > Not sure on the priority of this. We have face to face meetings in<br>
> > a<br>
> > > > couple<br>
> > > > > > of weeks to discuss priority, then of course, its christmas<br>
> > vacation.<br>
> > > > > ><br>
> > > > > >> When is the value of max wait used as there is already a wait<br>
> > > > increment<br>
> > > > > >> out there ?<br>
> > > > > ><br>
> > > > > > Correct. It will increase the wait after each failure until the<br>
> > max is<br>
> > > > hit.<br>
> > > > > ><br>
> > > > > >><br>
> > > > > >><br>
> > > > > >>> On 25 Nov 2014, at 20:05, Bill Burke < <a href="mailto:bburke@redhat.com">bburke@redhat.com</a> ><br>
> > wrote:<br>
> > > > > >>><br>
> > > > > >>><br>
> > > > > >>><br>
> > > > > >>>> On 11/25/2014 12:32 PM, Alexander Chriztopher wrote:<br>
> > > > > >>>> Hi,<br>
> > > > > >>>><br>
> > > > > >>>> I have a some question with regards to Brut Force Attack<br>
> > Protection<br>
> > > > :<br>
> > > > > >>>><br>
> > > > > >>>> # 1 / When brut force attack protection is enabled is there a<br>
> > way to<br>
> > > > > >>>> know when a user account is locked ? I am thinking about the<br>
> > admin<br>
> > > > > >>>> console.<br>
> > > > > >>>><br>
> > > > > >>>> # 2 / When a user account is locked is there a way to unlock it<br>
> > > > from the<br>
> > > > > >>>> admin console ?<br>
> > > > > >>><br>
> > > > > >>> Unfortunately no for the above. I'll log a jira.<br>
> > > > > >>><br>
> > > > > >>>> # 3 / What is the difference between wait increment (When<br>
> > failure<br>
> > > > > >>>> threshold has been met, how much time should the user be locked<br>
> > > > out?)<br>
> > > > > >>>> and max wait (Max time a user will be locked out.).<br>
> > > > > >>><br>
> > > > > >>> correct on both.<br>
> > > > > >>><br>
> > > > > >>><br>
> > > > > >>> --<br>
> > > > > >>> Bill Burke<br>
> > > > > >>> JBoss, a division of Red Hat<br>
> > > > > >>> <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
> > > > > >>> _______________________________________________<br>
> > > > > >>> keycloak-user mailing list<br>
> > > > > >>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > >>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> > > > > ><br>
> > > > > > --<br>
> > > > > > Bill Burke<br>
> > > > > > JBoss, a division of Red Hat<br>
> > > > > > <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
> > > > ><br>
> > > > ><br>
> > > > > _______________________________________________<br>
> > > > > keycloak-user mailing list<br>
> > > > > <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> > > ><br>
> > ><br>
> ><br>
><br>
</div></div></blockquote></div><br></div>