[keycloak-dev] denial-of-service (DoS)
Michael Gerber
gerbermichi at me.com
Tue Feb 17 14:54:03 EST 2015
Hi all,
It’s very easy to produce an out of memory. Just make thousand of requests to the login page with a huge state parameter.
Keycloak allocates a new ClientSessionEntity for each request and stores it with the given state parameter in a ConcurrentHashMap (if the MemUserSessionProvider is used).
Do you think it is necessary to create a new ClientSessionEntity before the user is authenticated?
Wouldn’t it be possible to pass all necessary information via URL parameters? Create a LoginToken similar to the IDToken, encrypt it with the realm private key, and add it to the url as parameter.
Best
Michael
More information about the keycloak-dev
mailing list