3103e0fd0a
* KEYCLOAK-5244 Add BlacklistPasswordPolicyProvider This introduces a new PasswordPolicy which can refer to a named predefined password-blacklist to avoid users choosing too easy to guess passwords. The BlacklistPasswordPolicyProvider supports built-in as well as custom blacklists. built-in blacklists use the form `default/filename` and custom ones `custom/filename`, where filename is the name of the found blacklist-filename. I'd propose to use some of the freely available password blacklists from the [SecLists](https://github.com/danielmiessler/SecLists/tree/master/Passwords) project. For testing purposes one can download the password blacklist ``` wget -O 10_million_password_list_top_1000000.txt https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_1000000.txt?raw=true ``` to /data/keycloak/blacklists/ Custom password policies can be configured with the SPI configuration mechanism via jboss-cli: ``` /subsystem=keycloak-server/spi=password-policy:add() /subsystem=keycloak-server/spi=password-policy/provider=passwordBlacklist:add(enabled=true) /subsystem=keycloak-server/spi=password-policy/provider=passwordBlacklist:write-attribute(name=properties.blacklistsFolderUri, value=file:///data/keycloak/blacklists/) ``` Password blacklist is stored in a TreeSet. * KEYCLOAK-5244 Encode PasswordBlacklist as a BloomFilter We now use a dynamically sized BloomFilter with a false positive probability of 1% as a backing store for PasswordBlacklists. BloomFilter implementation is provided by google-guava which is available in wildfly. Password blacklist files are now resolved against the ${jboss.server.data.dir}/password-blacklists. This can be overridden via system property, or SPI config. See JavaDoc of BlacklistPasswordPolicyProviderFactory for details. Revised implementation to be more extensible, e.g. it could be possible to use other stores like databases etc. Moved FileSystem specific methods to FileBasesPasswordBlacklistPolicy. The PasswordBlacklistProvider uses the guava version 20.0 shipped with wildfly. Unfortunately the arquillian testsuite transitively depends on guava 23.0 via the selenium-3.5.1 dependency. Hence we need to use version 23.0 for tests but 20.0 for the policy provider to avoid NoClassDefFoundErrors in the server-dist. Configure password blacklist folder for tests * KEYCLOAK-5244 Configure jboss.server.data.dir for test servers * KEYCLOAK-5244 Translate blacklisted message in base/login |
||
|---|---|---|
| .. | ||
| jboss | ||
| services | ||
| undertow | ||
| pom.xml | ||
| README.md | ||
Keycloak Arquillian Integration TestSuite - Test Servers - Auth Server
- Keycloak Arquillian Integration TestSuite
- Keycloak Arquillian Integration TestSuite - Test Servers
- Keycloak Arquillian Integration TestSuite - Test Servers - Auth Server
- Keycloak Arquillian Integration TestSuite - Test Servers - App Servers
Auth Server - JBoss
Common configurations of Keycloak server on JBoss-based container (Wildfly/EAP).
Submodules
wildfly Wildfly 10
- Builds keycloak server on top of latest Wildfly.
- Activated by
-Pauth-server-wildfly
eap EAP 7
- Builds keycloak server on top of latest EAP.
- Activated by
-Pauth-server-eap - Requires access to product repo.
- Requires additional properties:
product.versionproduct.unpacked.folder.name
Server dist vs overlay
By default keycloak-server-dist artifact is used for the build.
By setting -Dserver-overlay=true you can switch to server overlay instead. See profile server-overlay.
JPA
Configures Keycloak JDBC datasource in standalone.xml. See profile jpa.
SSL
Configures SSL in standalone.xml. See profile ssl.
Cluster
Configures in standalone-ha.xml:
- h2 datasource over TCP
- parameters of Keycloak Infinispan caches
See profile auth-server-cluster.
Auth Server - Undertow
Arquillian extension for running Keycloak server in embedded Undertow.