KEYCLOAK-2561 Fix issues with blank password
This commit is contained in:
mposolda
parent
d766c56eba
commit
e7a5b88b2d
6 changed files with 28 additions and 4 deletions
|
|
@ -86,7 +86,7 @@ public class Pbkdf2PasswordHashProvider implements PasswordHashProviderFactory,
|
|||
byte[] key = getSecretKeyFactory().generateSecret(spec).getEncoded();
|
||||
return Base64.encodeBytes(key);
|
||||
} catch (InvalidKeySpecException e) {
|
||||
throw new RuntimeException("Credential could not be encoded");
|
||||
throw new RuntimeException("Credential could not be encoded", e);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -101,7 +101,7 @@ public class Pbkdf2PasswordHashProvider implements PasswordHashProviderFactory,
|
|||
try {
|
||||
return SecretKeyFactory.getInstance(PBKDF2_ALGORITHM);
|
||||
} catch (NoSuchAlgorithmException e) {
|
||||
throw new RuntimeException("PBKDF2 algorithm not found");
|
||||
throw new RuntimeException("PBKDF2 algorithm not found", e);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ public class CredentialValidation {
|
|||
|
||||
|
||||
public static boolean validateHashedCredential(KeycloakSession session, RealmModel realm, UserModel user, String unhashedCredValue, UserCredentialValueModel credential) {
|
||||
if(unhashedCredValue == null){
|
||||
if (unhashedCredValue == null || unhashedCredValue.isEmpty()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -621,7 +621,7 @@ public class AccountService extends AbstractSecuredLocalService {
|
|||
}
|
||||
}
|
||||
|
||||
if (Validation.isEmpty(passwordNew)) {
|
||||
if (Validation.isBlank(passwordNew)) {
|
||||
setReferrerOnPage();
|
||||
return account.setError(Messages.MISSING_PASSWORD).createResponse(AccountPages.PASSWORD);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -93,6 +93,7 @@ import org.keycloak.services.managers.BruteForceProtector;
|
|||
import org.keycloak.services.managers.UserSessionManager;
|
||||
import org.keycloak.services.resources.AccountService;
|
||||
import org.keycloak.common.util.Time;
|
||||
import org.keycloak.services.validation.Validation;
|
||||
|
||||
/**
|
||||
* Base resource for managing users
|
||||
|
|
@ -707,6 +708,9 @@ public class UsersResource {
|
|||
if (pass == null || pass.getValue() == null || !CredentialRepresentation.PASSWORD.equals(pass.getType())) {
|
||||
throw new BadRequestException("No password provided");
|
||||
}
|
||||
if (Validation.isBlank(pass.getValue())) {
|
||||
throw new BadRequestException("Empty password not allowed");
|
||||
}
|
||||
|
||||
UserCredentialModel cred = RepresentationToModel.convertCredential(pass);
|
||||
try {
|
||||
|
|
|
|||
|
|
@ -62,6 +62,9 @@ public class ChangePasswordTest extends AbstractAccountManagementTest {
|
|||
|
||||
testRealmChangePasswordPage.changePasswords(correctPassword, NEW_PASSWORD, NEW_PASSWORD + "-mismatch");
|
||||
assertAlertError();
|
||||
|
||||
testRealmChangePasswordPage.changePasswords(correctPassword, " ", " ");
|
||||
assertAlertError();
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
|
|||
|
|
@ -646,6 +646,23 @@ public class UserTest extends AbstractClientTest {
|
|||
assertEquals("Keycloak Account Management", driver.getTitle());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resetUserInvalidPassword() {
|
||||
String userId = createUser("user1", "user1@localhost");
|
||||
|
||||
try {
|
||||
CredentialRepresentation cred = new CredentialRepresentation();
|
||||
cred.setType(CredentialRepresentation.PASSWORD);
|
||||
cred.setValue(" ");
|
||||
cred.setTemporary(false);
|
||||
realm.users().get(userId).resetPassword(cred);
|
||||
fail("Expected failure");
|
||||
} catch (ClientErrorException e) {
|
||||
assertEquals(400, e.getResponse().getStatus());
|
||||
e.getResponse().close();
|
||||
}
|
||||
}
|
||||
|
||||
private void switchEditUsernameAllowedOn() {
|
||||
RealmRepresentation rep = realm.toRepresentation();
|
||||
rep.setEditUsernameAllowed(true);
|
||||
|
|
|
|||
Loading…
Reference in a new issue