KEYCLOAK-3020

Increase default password hashing intervals to 20K
2016-05-23 09:16:01 +02:00 · 2016-05-23 09:16:01 +02:00 · 477c0872b0
commit 477c0872b0
parent 74809b4132
4 changed files with 35 additions and 1 deletions
--- a/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml
@ -97,6 +97,17 @@
    <section>
        <title>Version specific migration</title>

+        <section>
+            <title>Migrating to 1.9.5</title>
+            <simplesect>
+                <title>Default password hashing interval increased to 20K</title>
+                <para>
+                    The default password hashing interval for new realms is increased to 20K (from 1 previously). This will have a significant performance
+                    when users login.
+                </para>
+            </simplesect>
+        </section>
+
        <section>
            <title>Migrating to 1.9.3</title>
            <simplesect>
--- a/services/src/main/java/org/keycloak/services/managers/RealmManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/RealmManager.java
@ -18,6 +18,7 @@ package org.keycloak.services.managers;

 import org.keycloak.Config;
 import org.keycloak.common.enums.SslRequired;
+import org.keycloak.models.PasswordPolicy;
 import org.keycloak.models.session.UserSessionPersisterProvider;
 import org.keycloak.models.utils.RealmImporter;
 import org.keycloak.models.AccountRoles;
@ -218,6 +219,8 @@ public class RealmManager implements RealmImporter {
        realm.setOTPPolicy(OTPPolicy.DEFAULT_POLICY);

        realm.setEventsListeners(Collections.singleton("jboss-logging"));
+
+        realm.setPasswordPolicy(new PasswordPolicy("hashIterations(20000)"));
    }

    public boolean removeRealm(RealmModel realm) {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
@ -132,6 +132,26 @@ public class RealmTest extends AbstractAdminTest {
        Assert.assertNames(adminClient.realms().findAll(), "master", AuthRealm.TEST, REALM_NAME);
    }

+    @Test
+    public void createRealmCheckDefaultPasswordPolicy() {
+        RealmRepresentation rep = new RealmRepresentation();
+        rep.setRealm("new-realm");
+
+        adminClient.realms().create(rep);
+
+        assertEquals("hashIterations(20000)", adminClient.realm("new-realm").toRepresentation().getPasswordPolicy());
+
+        adminClient.realms().realm("new-realm").remove();
+
+        rep.setPasswordPolicy("length(8)");
+
+        adminClient.realms().create(rep);
+
+        assertEquals("length(8)", adminClient.realm("new-realm").toRepresentation().getPasswordPolicy());
+
+        adminClient.realms().realm("new-realm").remove();
+    }
+
    @Test
    public void createRealmFromJson() {
        RealmRepresentation rep = loadJson(getClass().getResourceAsStream("/admin-test/testrealm.json"), RealmRepresentation.class);
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AdapterTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/AdapterTest.java
@ -163,7 +163,7 @@ public class AdapterTest extends AbstractModelTest {
        user.updateCredential(cred);
        Assert.assertTrue(userProvider.validCredentials(session, realmModel, user, UserCredentialModel.password("geheim")));
        List<UserCredentialValueModel> creds = user.getCredentialsDirectly();
-        Assert.assertEquals(creds.get(0).getHashIterations(), 1);
+        Assert.assertEquals(creds.get(0).getHashIterations(), 20000);
        realmModel.setPasswordPolicy(new PasswordPolicy("hashIterations(200)"));
        Assert.assertTrue(userProvider.validCredentials(session, realmModel, user, UserCredentialModel.password("geheim")));
        creds = user.getCredentialsDirectly();