AbstractUsernameFormAuthenticator.validatePassword

public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) {
    List<UserCredentialModel> credentials = new LinkedList<>();
    String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
    if (password == null || password.isEmpty()) {
        invalidPassword(context, user);
        return false;
    }
    credentials.add(UserCredentialModel.password(password));
    boolean valid = context.getSession().users().validCredentials(context.getRealm(), user, credentials);
    if (!valid) {
        invalidPassword(context, user);
        return false;
    }
    return true;
}
I think we can remove the first if (password == null || password.isEmpty())

Am 20. November 2015 um 16:11 schrieb Bill Burke <bburke@redhat.com>:

Point me to the code?

On 11/20/2015 9:04 AM, Michael Gerber wrote:
Hi All,

keycloak does not pass an empty password to the validCredentials method
in the UserFederationProvider class.
Is there a reason for that? I would like to authenticate against an AD
even if the password is empty, otherwise the user won't be blocked after
x attempts.

Michael


_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev


--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev