It should be fine to remove it in Authenticator, but I am not sure if it
addresses your usecase. We have another similar check in
LDAPOperationManager.authenticate :
https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main...
.
The reason behind it was another issue related to AD. Basically all
other LDAP servers will always throw an exception if you put incorrect
(or empty) LDAP password. However AD in some cases doesn't throw an
exception in case of empty password . It throws an exception for invalid
password, but not for an empty one. So it will allow any AD user to
login into Keycloak with empty password... I don't know if there is some
switch in AD settings to disable this behaviour.
But anyway, we need to have solution, which will work in all situations.
So we either need to add some switch to configuration (true: allow empty
password to be sent to LDAP authentication, false: not allow it and
throw error as we do now. Default setting will be false). Or if you can
figure the code, which works for all usecases without additional switch,
it will be even better :-)
Marek
On 20/11/15 16:16, Michael Gerber wrote:
AbstractUsernameFormAuthenticator.validatePassword
public boolean validatePassword(AuthenticationFlowContext context, UserModel user,
MultivaluedMap<String, String> inputData) {
List<UserCredentialModel> credentials =new LinkedList<>(); String
password = inputData.getFirst(CredentialRepresentation.PASSWORD); if (password ==null ||
password.isEmpty()) {
invalidPassword(context, user); return false; }
credentials.add(UserCredentialModel.password(password)); boolean valid =
context.getSession().users().validCredentials(context.getRealm(), user, credentials); if
(!valid) {
invalidPassword(context, user); return false; }
return true; }
I think we can remove the first if (password == null ||
password.isEmpty())
Am 20. November 2015 um 16:11 schrieb Bill Burke <bburke(a)redhat.com>:
> Point me to the code?
>
> On 11/20/2015 9:04 AM, Michael Gerber wrote:
>> Hi All,
>>
>> keycloak does not pass an empty password to the validCredentials method
>> in the UserFederationProvider class.
>> Is there a reason for that? I would like to authenticate against an AD
>> even if the password is empty, otherwise the user won't be blocked after
>> x attempts.
>>
>> Michael
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev