KEYCLOAK-11700 Lower-case passwords before checking with password blacklist

2020-02-18 21:06:40 +01:00 · 2020-02-18 21:06:40 +01:00 · 9a3a358b96
commit 9a3a358b96
parent 06576a44c9
2 changed files with 2 additions and 1 deletions
--- a/server-spi-private/src/main/java/org/keycloak/policy/BlacklistPasswordPolicyProvider.java
+++ b/server-spi-private/src/main/java/org/keycloak/policy/BlacklistPasswordPolicyProvider.java
@ -45,7 +45,7 @@ public class BlacklistPasswordPolicyProvider implements PasswordPolicyProvider {

    PasswordBlacklist blacklist = (FileBasedPasswordBlacklist) policyConfig;

-    if (!blacklist.contains(password)) {
+    if (!blacklist.contains(password.toLowerCase())) {
      return null;
    }

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/policy/PasswordPolicyTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/policy/PasswordPolicyTest.java
@ -154,6 +154,7 @@ public class PasswordPolicyTest extends AbstractKeycloakTest {

            Assert.assertEquals(BlacklistPasswordPolicyProvider.ERROR_MESSAGE, policyManager.validate("jdoe", "blacklisted1").getMessage());
            Assert.assertEquals(BlacklistPasswordPolicyProvider.ERROR_MESSAGE, policyManager.validate("jdoe", "blacklisted2").getMessage());
+            Assert.assertEquals(BlacklistPasswordPolicyProvider.ERROR_MESSAGE, policyManager.validate("jdoe", "bLaCkLiSteD2").getMessage());
            assertNull(policyManager.validate("jdoe", "notblacklisted"));
        });
    }