9:26 a.m.
Hi all,
I get the following error if I try to log in as user1 with a wrong password and then as
user2 with a correct password.
2015-10-15 09:05:58,605 ERROR [org.keycloak.authentication.AuthenticationProcessor]
(default task-24) failed authentication: USER_CONFLICT:
org.keycloak.authentication.AuthenticationFlowException
at
org.keycloak.authentication.AuthenticationProcessor.setAutheticatedUser(AuthenticationProcessor.java:203)
[keycloak-services-1.6.0.Final-SNAPSHOT.jar:1.6.0.Final-SNAPSHOT]
at
org.keycloak.authentication.AuthenticationProcessor$Result.setUser(AuthenticationProcessor.java:332)
[keycloak-services-1.6.0.Final-SNAPSHOT.jar:1.6.0.Final-SNAPSHOT]
I think the reason for that is the context.setUser(user) call in
the AbstractUsernameFormAuthenticator.validateUser method.
Is this on purpose?
Best
Michael
7:42 a.m.
I looked a bit more into the code.
And I think you should not set the authenticated user before you have validated the
password. Isn't it a bit dangerous if the authenticated user is set even if the
entered password is wrong?
Am 15.10.2015 um 09:26 schrieb Michael Gerber
<gerbermichi(a)me.com>:
Hi all,
I get the following error if I try to log in as user1 with a wrong password and then as
user2 with a correct password.
2015-10-15 09:05:58,605 ERROR [org.keycloak.authentication.AuthenticationProcessor]
(default task-24) failed authentication: USER_CONFLICT:
org.keycloak.authentication.AuthenticationFlowException
at
org.keycloak.authentication.AuthenticationProcessor.setAutheticatedUser(AuthenticationProcessor.java:203)
[keycloak-services-1.6.0.Final-SNAPSHOT.jar:1.6.0.Final-SNAPSHOT]
at
org.keycloak.authentication.AuthenticationProcessor$Result.setUser(AuthenticationProcessor.java:332)
[keycloak-services-1.6.0.Final-SNAPSHOT.jar:1.6.0.Final-SNAPSHOT]
I think the reason for that is the context.setUser(user) call in the
AbstractUsernameFormAuthenticator.validateUser method.
Is this on purpose?
Best
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:54 a.m.
+1, anyway it looks like a bug considering the scenario you described.
Feel free to create JIRA.
Marek
On 16/10/15 07:42, Michael Gerber wrote:
I looked a bit more into the code.
And I think you should not set the authenticated user before you have validated the
password. Isn't it a bit dangerous if the authenticated user is set even if the
entered password is wrong?
> Am 15.10.2015 um 09:26 schrieb Michael Gerber <gerbermichi(a)me.com>:
>
> Hi all,
>
> I get the following error if I try to log in as user1 with a wrong password and then
as user2 with a correct password.
>
> 2015-10-15 09:05:58,605 ERROR [org.keycloak.authentication.AuthenticationProcessor]
(default task-24) failed authentication: USER_CONFLICT:
org.keycloak.authentication.AuthenticationFlowException
> at
org.keycloak.authentication.AuthenticationProcessor.setAutheticatedUser(AuthenticationProcessor.java:203)
[keycloak-services-1.6.0.Final-SNAPSHOT.jar:1.6.0.Final-SNAPSHOT]
> at
org.keycloak.authentication.AuthenticationProcessor$Result.setUser(AuthenticationProcessor.java:332)
[keycloak-services-1.6.0.Final-SNAPSHOT.jar:1.6.0.Final-SNAPSHOT]
>
>
> I think the reason for that is the context.setUser(user) call in the
AbstractUsernameFormAuthenticator.validateUser method.
>
> Is this on purpose?
>
> Best
> Michael
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3392
days inactive
3393
days old
2 comments
2 participants
participants (2)
-
Marek Posolda -
Michael Gerber