[keycloak-dev] no empty password in UserFederationProvider

Marek Posolda mposolda at redhat.com
Mon Nov 23 03:02:14 EST 2015 

Sure, that would be fine. But again, it's important that with default 
settings, LDAPOperationManager.authenticate won't automatically 
authenticate AD users with empty password (which may happen when 
anonymous bind is enabled on AD side).

Marek

On 20/11/15 18:22, Michael Gerber wrote:
> We’ve got a custom UserFederationProvider, which authenticate users against an AD or DB. Therefore, we need to know if a user entered an empty password.
> I will create a PR and jira ticket for that, ok?
>
>> On 20.11.2015, at 17:50, Marek Posolda <mposolda at redhat.com> wrote:
>>
>> That will be the easiest path to use our BruteForceProtector.
>>
>> However AD also has some "BruteForceProtector" of it's own, which disables user in AD when he reach some count of invalid attempts. And I guess Michael wants to use that one and disable user in AD as well.
>>
>> Marek
>>
>> On 20/11/15 17:40, Bill Burke wrote:
>>> You can I guess, but why does it matter?  invalidPassword hits the brute
>>> force detector if it is turned on.
>>>
>>> On 11/20/2015 10:16 AM, Michael Gerber wrote:
>>>> AbstractUsernameFormAuthenticator.validatePassword
>>>>
>>>> public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) {
>>>>       List<UserCredentialModel> credentials =new LinkedList<>();
>>>> String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
>>>> if (password ==null || password.isEmpty()) {
>>>>           invalidPassword(context, user);
>>>> return false;
>>>> }
>>>>       credentials.add(UserCredentialModel.password(password));
>>>> boolean valid = context.getSession().users().validCredentials(context.getRealm(), user, credentials);
>>>> if (!valid) {
>>>>           invalidPassword(context, user);
>>>> return false;
>>>> }
>>>>       return true;
>>>> }
>>>>
>>>> I think we can remove the first if (password == null || password.isEmpty())
>>>>
>>>> Am 20. November 2015 um 16:11 schrieb Bill Burke <bburke at redhat.com>:
>>>>
>>>>> Point me to the code?
>>>>>
>>>>> On 11/20/2015 9:04 AM, Michael Gerber wrote:
>>>>>> Hi All,
>>>>>>
>>>>>> keycloak does not pass an empty password to the validCredentials method
>>>>>> in the UserFederationProvider class.
>>>>>> Is there a reason for that? I would like to authenticate against an AD
>>>>>> even if the password is empty, otherwise the user won't be blocked after
>>>>>> x attempts.
>>>>>>
>>>>>> Michael
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list