libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

KEYCLOAK-11700 Lower-case passwords before checking with password blacklist

Browse source
This commit is contained in:
stianst 2020-02-18 21:06:40 +01:00 committed by Stian Thorgersen
parent 06576a44c9
commit 9a3a358b96
2 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
server-spi-private/src/main/java/org/keycloak/policy/BlacklistPasswordPolicyProvider.java
View file

@ -45,7 +45,7 @@ public class BlacklistPasswordPolicyProvider implements PasswordPolicyProvider {
PasswordBlacklist blacklist = (FileBasedPasswordBlacklist) policyConfig; PasswordBlacklist blacklist = (FileBasedPasswordBlacklist) policyConfig;
if (!blacklist.contains(password)) { if (!blacklist.contains(password.toLowerCase())) {
return null; return null;
} }

1
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/policy/PasswordPolicyTest.java
View file

@ -154,6 +154,7 @@ public class PasswordPolicyTest extends AbstractKeycloakTest {
Assert.assertEquals(BlacklistPasswordPolicyProvider.ERROR_MESSAGE, policyManager.validate("jdoe", "blacklisted1").getMessage()); Assert.assertEquals(BlacklistPasswordPolicyProvider.ERROR_MESSAGE, policyManager.validate("jdoe", "blacklisted1").getMessage());
Assert.assertEquals(BlacklistPasswordPolicyProvider.ERROR_MESSAGE, policyManager.validate("jdoe", "blacklisted2").getMessage()); Assert.assertEquals(BlacklistPasswordPolicyProvider.ERROR_MESSAGE, policyManager.validate("jdoe", "blacklisted2").getMessage());
Assert.assertEquals(BlacklistPasswordPolicyProvider.ERROR_MESSAGE, policyManager.validate("jdoe", "bLaCkLiSteD2").getMessage());
assertNull(policyManager.validate("jdoe", "notblacklisted")); assertNull(policyManager.validate("jdoe", "notblacklisted"));
}); });
} }