KEYCLOAK-3020

Increase default password hashing intervals to 20K
This commit is contained in:
Stian Thorgersen 2016-05-23 09:16:01 +02:00
parent 74809b4132
commit 477c0872b0
4 changed files with 35 additions and 1 deletions

View file

@ -97,6 +97,17 @@
<section> <section>
<title>Version specific migration</title> <title>Version specific migration</title>
<section>
<title>Migrating to 1.9.5</title>
<simplesect>
<title>Default password hashing interval increased to 20K</title>
<para>
The default password hashing interval for new realms is increased to 20K (from 1 previously). This will have a significant performance
when users login.
</para>
</simplesect>
</section>
<section> <section>
<title>Migrating to 1.9.3</title> <title>Migrating to 1.9.3</title>
<simplesect> <simplesect>

View file

@ -18,6 +18,7 @@ package org.keycloak.services.managers;
import org.keycloak.Config; import org.keycloak.Config;
import org.keycloak.common.enums.SslRequired; import org.keycloak.common.enums.SslRequired;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.session.UserSessionPersisterProvider; import org.keycloak.models.session.UserSessionPersisterProvider;
import org.keycloak.models.utils.RealmImporter; import org.keycloak.models.utils.RealmImporter;
import org.keycloak.models.AccountRoles; import org.keycloak.models.AccountRoles;
@ -218,6 +219,8 @@ public class RealmManager implements RealmImporter {
realm.setOTPPolicy(OTPPolicy.DEFAULT_POLICY); realm.setOTPPolicy(OTPPolicy.DEFAULT_POLICY);
realm.setEventsListeners(Collections.singleton("jboss-logging")); realm.setEventsListeners(Collections.singleton("jboss-logging"));
realm.setPasswordPolicy(new PasswordPolicy("hashIterations(20000)"));
} }
public boolean removeRealm(RealmModel realm) { public boolean removeRealm(RealmModel realm) {

View file

@ -132,6 +132,26 @@ public class RealmTest extends AbstractAdminTest {
Assert.assertNames(adminClient.realms().findAll(), "master", AuthRealm.TEST, REALM_NAME); Assert.assertNames(adminClient.realms().findAll(), "master", AuthRealm.TEST, REALM_NAME);
} }
@Test
public void createRealmCheckDefaultPasswordPolicy() {
RealmRepresentation rep = new RealmRepresentation();
rep.setRealm("new-realm");
adminClient.realms().create(rep);
assertEquals("hashIterations(20000)", adminClient.realm("new-realm").toRepresentation().getPasswordPolicy());
adminClient.realms().realm("new-realm").remove();
rep.setPasswordPolicy("length(8)");
adminClient.realms().create(rep);
assertEquals("length(8)", adminClient.realm("new-realm").toRepresentation().getPasswordPolicy());
adminClient.realms().realm("new-realm").remove();
}
@Test @Test
public void createRealmFromJson() { public void createRealmFromJson() {
RealmRepresentation rep = loadJson(getClass().getResourceAsStream("/admin-test/testrealm.json"), RealmRepresentation.class); RealmRepresentation rep = loadJson(getClass().getResourceAsStream("/admin-test/testrealm.json"), RealmRepresentation.class);

View file

@ -163,7 +163,7 @@ public class AdapterTest extends AbstractModelTest {
user.updateCredential(cred); user.updateCredential(cred);
Assert.assertTrue(userProvider.validCredentials(session, realmModel, user, UserCredentialModel.password("geheim"))); Assert.assertTrue(userProvider.validCredentials(session, realmModel, user, UserCredentialModel.password("geheim")));
List<UserCredentialValueModel> creds = user.getCredentialsDirectly(); List<UserCredentialValueModel> creds = user.getCredentialsDirectly();
Assert.assertEquals(creds.get(0).getHashIterations(), 1); Assert.assertEquals(creds.get(0).getHashIterations(), 20000);
realmModel.setPasswordPolicy(new PasswordPolicy("hashIterations(200)")); realmModel.setPasswordPolicy(new PasswordPolicy("hashIterations(200)"));
Assert.assertTrue(userProvider.validCredentials(session, realmModel, user, UserCredentialModel.password("geheim"))); Assert.assertTrue(userProvider.validCredentials(session, realmModel, user, UserCredentialModel.password("geheim")));
creds = user.getCredentialsDirectly(); creds = user.getCredentialsDirectly();