Merge pull request #1744 from stianst/kc-1973
KEYCLOAK-1973 Clear user from authentication context is password is n…
This commit is contained in:
commit
d8e90028af
4 changed files with 64 additions and 4 deletions
|
@ -32,6 +32,11 @@ public interface AuthenticationFlowContext extends AbstractAuthenticationFlowCon
|
|||
*/
|
||||
void setUser(UserModel user);
|
||||
|
||||
/**
|
||||
* Clear the user from the flow.
|
||||
*/
|
||||
void clearUser();
|
||||
|
||||
void attachUserSession(UserSessionModel userSession);
|
||||
|
||||
|
||||
|
|
|
@ -215,6 +215,9 @@ public class AuthenticationProcessor {
|
|||
getClientSession().setAuthenticatedUser(user);
|
||||
}
|
||||
|
||||
public void clearAuthenticatedUser() {
|
||||
getClientSession().setAuthenticatedUser(null);
|
||||
}
|
||||
|
||||
public class Result implements AuthenticationFlowContext, ClientAuthenticationFlowContext {
|
||||
AuthenticatorConfigModel authenticatorConfig;
|
||||
|
@ -332,6 +335,8 @@ public class AuthenticationProcessor {
|
|||
|
||||
}
|
||||
|
||||
|
||||
|
||||
@Override
|
||||
public UserModel getUser() {
|
||||
return getClientSession().getAuthenticatedUser();
|
||||
|
@ -342,6 +347,11 @@ public class AuthenticationProcessor {
|
|||
setAutheticatedUser(user);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void clearUser() {
|
||||
clearAuthenticatedUser();
|
||||
}
|
||||
|
||||
@Override
|
||||
public RealmModel getRealm() {
|
||||
return AuthenticationProcessor.this.getRealm();
|
||||
|
|
|
@ -140,6 +140,7 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth
|
|||
context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
|
||||
Response challengeResponse = invalidCredentials(context);
|
||||
context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
|
||||
context.clearUser();
|
||||
return false;
|
||||
}
|
||||
credentials.add(UserCredentialModel.password(password));
|
||||
|
@ -149,6 +150,7 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth
|
|||
context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
|
||||
Response challengeResponse = invalidCredentials(context);
|
||||
context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
|
||||
context.clearUser();
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
|
|
|
@ -66,19 +66,28 @@ public class LoginTest {
|
|||
|
||||
@ClassRule
|
||||
public static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() {
|
||||
|
||||
@Override
|
||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
||||
UserCredentialModel creds = new UserCredentialModel();
|
||||
creds.setType(CredentialRepresentation.PASSWORD);
|
||||
creds.setValue("password");
|
||||
|
||||
UserModel user = manager.getSession().users().addUser(appRealm, "login-test");
|
||||
user.setEmail("login@test.com");
|
||||
user.setEnabled(true);
|
||||
|
||||
userId = user.getId();
|
||||
|
||||
UserCredentialModel creds = new UserCredentialModel();
|
||||
creds.setType(CredentialRepresentation.PASSWORD);
|
||||
creds.setValue("password");
|
||||
|
||||
user.updateCredential(creds);
|
||||
|
||||
UserModel user2 = manager.getSession().users().addUser(appRealm, "login-test2");
|
||||
user2.setEmail("login2@test.com");
|
||||
user2.setEnabled(true);
|
||||
|
||||
user2Id = user2.getId();
|
||||
|
||||
user2.updateCredential(creds);
|
||||
}
|
||||
});
|
||||
|
||||
|
@ -108,6 +117,8 @@ public class LoginTest {
|
|||
|
||||
private static String userId;
|
||||
|
||||
private static String user2Id;
|
||||
|
||||
@Test
|
||||
public void testBrowserSecurityHeaders() {
|
||||
Client client = ClientBuilder.newClient();
|
||||
|
@ -122,6 +133,31 @@ public class LoginTest {
|
|||
response.close();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loginChangeUserAfterInvalidPassword() {
|
||||
loginPage.open();
|
||||
loginPage.login("login-test2", "invalid");
|
||||
|
||||
loginPage.assertCurrent();
|
||||
|
||||
Assert.assertEquals("login-test2", loginPage.getUsername());
|
||||
Assert.assertEquals("", loginPage.getPassword());
|
||||
|
||||
Assert.assertEquals("Invalid username or password.", loginPage.getError());
|
||||
|
||||
events.expectLogin().user(user2Id).session((String) null).error("invalid_user_credentials")
|
||||
.detail(Details.USERNAME, "login-test2")
|
||||
.removeDetail(Details.CONSENT)
|
||||
.assertEvent();
|
||||
|
||||
loginPage.login("login-test", "password");
|
||||
|
||||
Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
||||
Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
|
||||
|
||||
events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loginInvalidPassword() {
|
||||
loginPage.open();
|
||||
|
@ -247,6 +283,13 @@ public class LoginTest {
|
|||
.detail(Details.USERNAME, "invalid")
|
||||
.removeDetail(Details.CONSENT)
|
||||
.assertEvent();
|
||||
|
||||
loginPage.login("login-test", "password");
|
||||
|
||||
Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
||||
Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
|
||||
|
||||
events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent();
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
Loading…
Reference in a new issue