KEYCLOAK-1973 Clear user from authentication context is password is not valid
This commit is contained in:
Stian Thorgersen
parent
a6556a49c2
commit
2910db5595
4 changed files with 64 additions and 4 deletions
|
|
@ -32,6 +32,11 @@ public interface AuthenticationFlowContext extends AbstractAuthenticationFlowCon
|
||||||
*/
|
*/
|
||||||
void setUser(UserModel user);
|
void setUser(UserModel user);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Clear the user from the flow.
|
||||||
|
*/
|
||||||
|
void clearUser();
|
||||||
|
|
||||||
void attachUserSession(UserSessionModel userSession);
|
void attachUserSession(UserSessionModel userSession);
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -215,6 +215,9 @@ public class AuthenticationProcessor {
|
||||||
getClientSession().setAuthenticatedUser(user);
|
getClientSession().setAuthenticatedUser(user);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void clearAuthenticatedUser() {
|
||||||
|
getClientSession().setAuthenticatedUser(null);
|
||||||
|
}
|
||||||
|
|
||||||
public class Result implements AuthenticationFlowContext, ClientAuthenticationFlowContext {
|
public class Result implements AuthenticationFlowContext, ClientAuthenticationFlowContext {
|
||||||
AuthenticatorConfigModel authenticatorConfig;
|
AuthenticatorConfigModel authenticatorConfig;
|
||||||
|
|
@ -332,6 +335,8 @@ public class AuthenticationProcessor {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public UserModel getUser() {
|
public UserModel getUser() {
|
||||||
return getClientSession().getAuthenticatedUser();
|
return getClientSession().getAuthenticatedUser();
|
||||||
|
|
@ -342,6 +347,11 @@ public class AuthenticationProcessor {
|
||||||
setAutheticatedUser(user);
|
setAutheticatedUser(user);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void clearUser() {
|
||||||
|
clearAuthenticatedUser();
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public RealmModel getRealm() {
|
public RealmModel getRealm() {
|
||||||
return AuthenticationProcessor.this.getRealm();
|
return AuthenticationProcessor.this.getRealm();
|
||||||
|
|
|
||||||
|
|
@ -140,6 +140,7 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth
|
||||||
context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
|
context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
|
||||||
Response challengeResponse = invalidCredentials(context);
|
Response challengeResponse = invalidCredentials(context);
|
||||||
context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
|
context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
|
||||||
|
context.clearUser();
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
credentials.add(UserCredentialModel.password(password));
|
credentials.add(UserCredentialModel.password(password));
|
||||||
|
|
@ -149,6 +150,7 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth
|
||||||
context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
|
context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
|
||||||
Response challengeResponse = invalidCredentials(context);
|
Response challengeResponse = invalidCredentials(context);
|
||||||
context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
|
context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
|
||||||
|
context.clearUser();
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
|
|
|
||||||
|
|
@ -66,19 +66,28 @@ public class LoginTest {
|
||||||
|
|
||||||
@ClassRule
|
@ClassRule
|
||||||
public static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() {
|
public static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
||||||
|
UserCredentialModel creds = new UserCredentialModel();
|
||||||
|
creds.setType(CredentialRepresentation.PASSWORD);
|
||||||
|
creds.setValue("password");
|
||||||
|
|
||||||
UserModel user = manager.getSession().users().addUser(appRealm, "login-test");
|
UserModel user = manager.getSession().users().addUser(appRealm, "login-test");
|
||||||
user.setEmail("login@test.com");
|
user.setEmail("login@test.com");
|
||||||
user.setEnabled(true);
|
user.setEnabled(true);
|
||||||
|
|
||||||
userId = user.getId();
|
userId = user.getId();
|
||||||
|
|
||||||
UserCredentialModel creds = new UserCredentialModel();
|
|
||||||
creds.setType(CredentialRepresentation.PASSWORD);
|
|
||||||
creds.setValue("password");
|
|
||||||
|
|
||||||
user.updateCredential(creds);
|
user.updateCredential(creds);
|
||||||
|
|
||||||
|
UserModel user2 = manager.getSession().users().addUser(appRealm, "login-test2");
|
||||||
|
user2.setEmail("login2@test.com");
|
||||||
|
user2.setEnabled(true);
|
||||||
|
|
||||||
|
user2Id = user2.getId();
|
||||||
|
|
||||||
|
user2.updateCredential(creds);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
@ -108,6 +117,8 @@ public class LoginTest {
|
||||||
|
|
||||||
private static String userId;
|
private static String userId;
|
||||||
|
|
||||||
|
private static String user2Id;
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testBrowserSecurityHeaders() {
|
public void testBrowserSecurityHeaders() {
|
||||||
Client client = ClientBuilder.newClient();
|
Client client = ClientBuilder.newClient();
|
||||||
|
|
@ -122,6 +133,31 @@ public class LoginTest {
|
||||||
response.close();
|
response.close();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void loginChangeUserAfterInvalidPassword() {
|
||||||
|
loginPage.open();
|
||||||
|
loginPage.login("login-test2", "invalid");
|
||||||
|
|
||||||
|
loginPage.assertCurrent();
|
||||||
|
|
||||||
|
Assert.assertEquals("login-test2", loginPage.getUsername());
|
||||||
|
Assert.assertEquals("", loginPage.getPassword());
|
||||||
|
|
||||||
|
Assert.assertEquals("Invalid username or password.", loginPage.getError());
|
||||||
|
|
||||||
|
events.expectLogin().user(user2Id).session((String) null).error("invalid_user_credentials")
|
||||||
|
.detail(Details.USERNAME, "login-test2")
|
||||||
|
.removeDetail(Details.CONSENT)
|
||||||
|
.assertEvent();
|
||||||
|
|
||||||
|
loginPage.login("login-test", "password");
|
||||||
|
|
||||||
|
Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
||||||
|
Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
|
||||||
|
|
||||||
|
events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent();
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void loginInvalidPassword() {
|
public void loginInvalidPassword() {
|
||||||
loginPage.open();
|
loginPage.open();
|
||||||
|
|
@ -247,6 +283,13 @@ public class LoginTest {
|
||||||
.detail(Details.USERNAME, "invalid")
|
.detail(Details.USERNAME, "invalid")
|
||||||
.removeDetail(Details.CONSENT)
|
.removeDetail(Details.CONSENT)
|
||||||
.assertEvent();
|
.assertEvent();
|
||||||
|
|
||||||
|
loginPage.login("login-test", "password");
|
||||||
|
|
||||||
|
Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
||||||
|
Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
|
||||||
|
|
||||||
|
events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue