[keycloak-user] A bug in the Brute Force Detection mechanism?

[Wieloch, Marcin]

Hi,

One day I was looking for a workaround for a lacking feature (KEYCLOAK-4204),
and I have encountered a problem with Brute Force Detection mechanism.
For some specific settings (e.g., MaxLoginFailures = 3, WaitIncrement = 24855 days,
Max Wait = 24855 days, FailureResetTime = 24855 days) the mechanism does not work,
i.e., I am still able to login after 3 (or more) failed login attempts.

I think it is caused by integer overflows happening
in lines 121 and 133 of DefaultBruteForceProtector (v. 3.1.0.Final).

Could you please confirm this is a bug? I would then create an issue in your JIRA.

Best regards,
Marcin



The information in this email and any attachments is confidential and intended solely for the use of the individual(s) to whom it is addressed or otherwise directed.
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company.
Finally, the recipient should check this email and any attachments for the presence of viruses.
The Company accepts no liability for any damage caused by any virus transmitted by this email.