6:51 a.m.
org.keycloak.events is fully configurable you can set what level you want
it to log success and failures. Logging failures are supposed to only be
logged by event mechanism so this is a bug, can you create a JIRA please?
On 12 April 2016 at 16:17, Aikeaguinea <aikeaguinea(a)xsmail.com> wrote:
I'm implementing a custom authenticator, and I'm noticing
that whenever
I get an authentication failure I get a long exception in the log at
level ERROR as well as one at level WARN:
19:08:16,592 WARN [org.keycloak.events] (default task-7)
type=LOGIN_ERROR, realmId=CustomAuthTest, clientId=account,
userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials,
auth_method=openid-connect, auth_type=code,
redirect_uri='
http://localhost:9080/auth/realms/CustomAuthTest/account/login-redirect';,
code_id=117bfe17-d8be-431d-9c7f-5fcfd4aaff19
19:08:16,593 ERROR [org.keycloak.services] (default task-7)
KC-SERVICES0013: failed authentication:
org.keycloak.authentication.AuthenticationFlowException
at
org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:207)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:85)
at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:756)
at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:353)
at
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:335)
at
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:380)
...many more lines
This seems open to a DOS vulnerability that would fill up logs by
bombing the system with failed login attempts. In addition, logging the
failure at ERROR means that the only way to keep the second log entry
from showing up is to turn off all logging for org.keycloak.services.
In my ideal world, we could set Keycloak so that login failures were
simply recorded as events but don't show up in the server log at all. Is
there a way to do that?
--
http://www.fastmail.com - A fast, anti-spam email service.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user