You can I guess, but why does it matter? invalidPassword hits the brute
force detector if it is turned on.
On 11/20/2015 10:16 AM, Michael Gerber wrote:
AbstractUsernameFormAuthenticator.validatePassword
public boolean validatePassword(AuthenticationFlowContext context, UserModel user,
MultivaluedMap<String, String> inputData) {
List<UserCredentialModel> credentials =new LinkedList<>();
String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
if (password ==null || password.isEmpty()) {
invalidPassword(context, user);
return false;
}
credentials.add(UserCredentialModel.password(password));
boolean valid = context.getSession().users().validCredentials(context.getRealm(), user,
credentials);
if (!valid) {
invalidPassword(context, user);
return false;
}
return true;
}
I think we can remove the first if (password == null || password.isEmpty())
Am 20. November 2015 um 16:11 schrieb Bill Burke <bburke(a)redhat.com>:
> Point me to the code?
>
> On 11/20/2015 9:04 AM, Michael Gerber wrote:
>> Hi All,
>>
>> keycloak does not pass an empty password to the validCredentials method
>> in the UserFederationProvider class.
>> Is there a reason for that? I would like to authenticate against an AD
>> even if the password is empty, otherwise the user won't be blocked after
>> x attempts.
>>
>> Michael
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev