diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml b/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml index f77a6bd893..06445e885d 100755 --- a/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml +++ b/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml @@ -97,6 +97,17 @@
Version specific migration +
+ Migrating to 1.9.5 + + Default password hashing interval increased to 20K + + The default password hashing interval for new realms is increased to 20K (from 1 previously). This will have a significant performance + when users login. + + +
+
Migrating to 1.9.3 diff --git a/services/src/main/java/org/keycloak/services/managers/RealmManager.java b/services/src/main/java/org/keycloak/services/managers/RealmManager.java index c9a3b1ebca..4ff5588183 100755 --- a/services/src/main/java/org/keycloak/services/managers/RealmManager.java +++ b/services/src/main/java/org/keycloak/services/managers/RealmManager.java @@ -18,6 +18,7 @@ package org.keycloak.services.managers; import org.keycloak.Config; import org.keycloak.common.enums.SslRequired; +import org.keycloak.models.PasswordPolicy; import org.keycloak.models.session.UserSessionPersisterProvider; import org.keycloak.models.utils.RealmImporter; import org.keycloak.models.AccountRoles; @@ -218,6 +219,8 @@ public class RealmManager implements RealmImporter { realm.setOTPPolicy(OTPPolicy.DEFAULT_POLICY); realm.setEventsListeners(Collections.singleton("jboss-logging")); + + realm.setPasswordPolicy(new PasswordPolicy("hashIterations(20000)")); } public boolean removeRealm(RealmModel realm) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java index 5aa88e5ab6..ca5429c285 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java @@ -132,6 +132,26 @@ public class RealmTest extends AbstractAdminTest { Assert.assertNames(adminClient.realms().findAll(), "master", AuthRealm.TEST, REALM_NAME); } + @Test + public void createRealmCheckDefaultPasswordPolicy() { + RealmRepresentation rep = new RealmRepresentation(); + rep.setRealm("new-realm"); + + adminClient.realms().create(rep); + + assertEquals("hashIterations(20000)", adminClient.realm("new-realm").toRepresentation().getPasswordPolicy()); + + adminClient.realms().realm("new-realm").remove(); + + rep.setPasswordPolicy("length(8)"); + + adminClient.realms().create(rep); + + assertEquals("length(8)", adminClient.realm("new-realm").toRepresentation().getPasswordPolicy()); + + adminClient.realms().realm("new-realm").remove(); + } + @Test public void createRealmFromJson() { RealmRepresentation rep = loadJson(getClass().getResourceAsStream("/admin-test/testrealm.json"), RealmRepresentation.class); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AdapterTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AdapterTest.java index 869b3ff72b..27b550a31c 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AdapterTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AdapterTest.java @@ -163,7 +163,7 @@ public class AdapterTest extends AbstractModelTest { user.updateCredential(cred); Assert.assertTrue(userProvider.validCredentials(session, realmModel, user, UserCredentialModel.password("geheim"))); List creds = user.getCredentialsDirectly(); - Assert.assertEquals(creds.get(0).getHashIterations(), 1); + Assert.assertEquals(creds.get(0).getHashIterations(), 20000); realmModel.setPasswordPolicy(new PasswordPolicy("hashIterations(200)")); Assert.assertTrue(userProvider.validCredentials(session, realmModel, user, UserCredentialModel.password("geheim"))); creds = user.getCredentialsDirectly();