Merge pull request #1744 from stianst/kc-1973

KEYCLOAK-1973 Clear user from authentication context is password is n…
This commit is contained in:
Stian Thorgersen 2015-10-16 12:52:46 +02:00
commit d8e90028af
4 changed files with 64 additions and 4 deletions

View file

@ -32,6 +32,11 @@ public interface AuthenticationFlowContext extends AbstractAuthenticationFlowCon
*/
void setUser(UserModel user);
/**
* Clear the user from the flow.
*/
void clearUser();
void attachUserSession(UserSessionModel userSession);

View file

@ -215,6 +215,9 @@ public class AuthenticationProcessor {
getClientSession().setAuthenticatedUser(user);
}
public void clearAuthenticatedUser() {
getClientSession().setAuthenticatedUser(null);
}
public class Result implements AuthenticationFlowContext, ClientAuthenticationFlowContext {
AuthenticatorConfigModel authenticatorConfig;
@ -332,6 +335,8 @@ public class AuthenticationProcessor {
}
@Override
public UserModel getUser() {
return getClientSession().getAuthenticatedUser();
@ -342,6 +347,11 @@ public class AuthenticationProcessor {
setAutheticatedUser(user);
}
@Override
public void clearUser() {
clearAuthenticatedUser();
}
@Override
public RealmModel getRealm() {
return AuthenticationProcessor.this.getRealm();

View file

@ -140,6 +140,7 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth
context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
Response challengeResponse = invalidCredentials(context);
context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
context.clearUser();
return false;
}
credentials.add(UserCredentialModel.password(password));
@ -149,6 +150,7 @@ public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuth
context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
Response challengeResponse = invalidCredentials(context);
context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
context.clearUser();
return false;
}
return true;

View file

@ -66,19 +66,28 @@ public class LoginTest {
@ClassRule
public static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() {
@Override
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
UserCredentialModel creds = new UserCredentialModel();
creds.setType(CredentialRepresentation.PASSWORD);
creds.setValue("password");
UserModel user = manager.getSession().users().addUser(appRealm, "login-test");
user.setEmail("login@test.com");
user.setEnabled(true);
userId = user.getId();
UserCredentialModel creds = new UserCredentialModel();
creds.setType(CredentialRepresentation.PASSWORD);
creds.setValue("password");
user.updateCredential(creds);
UserModel user2 = manager.getSession().users().addUser(appRealm, "login-test2");
user2.setEmail("login2@test.com");
user2.setEnabled(true);
user2Id = user2.getId();
user2.updateCredential(creds);
}
});
@ -108,6 +117,8 @@ public class LoginTest {
private static String userId;
private static String user2Id;
@Test
public void testBrowserSecurityHeaders() {
Client client = ClientBuilder.newClient();
@ -122,6 +133,31 @@ public class LoginTest {
response.close();
}
@Test
public void loginChangeUserAfterInvalidPassword() {
loginPage.open();
loginPage.login("login-test2", "invalid");
loginPage.assertCurrent();
Assert.assertEquals("login-test2", loginPage.getUsername());
Assert.assertEquals("", loginPage.getPassword());
Assert.assertEquals("Invalid username or password.", loginPage.getError());
events.expectLogin().user(user2Id).session((String) null).error("invalid_user_credentials")
.detail(Details.USERNAME, "login-test2")
.removeDetail(Details.CONSENT)
.assertEvent();
loginPage.login("login-test", "password");
Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent();
}
@Test
public void loginInvalidPassword() {
loginPage.open();
@ -247,6 +283,13 @@ public class LoginTest {
.detail(Details.USERNAME, "invalid")
.removeDetail(Details.CONSENT)
.assertEvent();
loginPage.login("login-test", "password");
Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent();
}
@Test