3103e0fd0a
* KEYCLOAK-5244 Add BlacklistPasswordPolicyProvider This introduces a new PasswordPolicy which can refer to a named predefined password-blacklist to avoid users choosing too easy to guess passwords. The BlacklistPasswordPolicyProvider supports built-in as well as custom blacklists. built-in blacklists use the form `default/filename` and custom ones `custom/filename`, where filename is the name of the found blacklist-filename. I'd propose to use some of the freely available password blacklists from the [SecLists](https://github.com/danielmiessler/SecLists/tree/master/Passwords) project. For testing purposes one can download the password blacklist ``` wget -O 10_million_password_list_top_1000000.txt https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_1000000.txt?raw=true ``` to /data/keycloak/blacklists/ Custom password policies can be configured with the SPI configuration mechanism via jboss-cli: ``` /subsystem=keycloak-server/spi=password-policy:add() /subsystem=keycloak-server/spi=password-policy/provider=passwordBlacklist:add(enabled=true) /subsystem=keycloak-server/spi=password-policy/provider=passwordBlacklist:write-attribute(name=properties.blacklistsFolderUri, value=file:///data/keycloak/blacklists/) ``` Password blacklist is stored in a TreeSet. * KEYCLOAK-5244 Encode PasswordBlacklist as a BloomFilter We now use a dynamically sized BloomFilter with a false positive probability of 1% as a backing store for PasswordBlacklists. BloomFilter implementation is provided by google-guava which is available in wildfly. Password blacklist files are now resolved against the ${jboss.server.data.dir}/password-blacklists. This can be overridden via system property, or SPI config. See JavaDoc of BlacklistPasswordPolicyProviderFactory for details. Revised implementation to be more extensible, e.g. it could be possible to use other stores like databases etc. Moved FileSystem specific methods to FileBasesPasswordBlacklistPolicy. The PasswordBlacklistProvider uses the guava version 20.0 shipped with wildfly. Unfortunately the arquillian testsuite transitively depends on guava 23.0 via the selenium-3.5.1 dependency. Hence we need to use version 23.0 for tests but 20.0 for the policy provider to avoid NoClassDefFoundErrors in the server-dist. Configure password blacklist folder for tests * KEYCLOAK-5244 Configure jboss.server.data.dir for test servers * KEYCLOAK-5244 Translate blacklisted message in base/login
103 lines
3.6 KiB
XML
Executable file
103 lines
3.6 KiB
XML
Executable file
<?xml version="1.0"?>
|
|
<!--
|
|
~ Copyright 2016 Red Hat, Inc. and/or its affiliates
|
|
~ and other contributors as indicated by the @author tags.
|
|
~
|
|
~ Licensed under the Apache License, Version 2.0 (the "License");
|
|
~ you may not use this file except in compliance with the License.
|
|
~ You may obtain a copy of the License at
|
|
~
|
|
~ http://www.apache.org/licenses/LICENSE-2.0
|
|
~
|
|
~ Unless required by applicable law or agreed to in writing, software
|
|
~ distributed under the License is distributed on an "AS IS" BASIS,
|
|
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
~ See the License for the specific language governing permissions and
|
|
~ limitations under the License.
|
|
-->
|
|
|
|
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
|
<parent>
|
|
<artifactId>keycloak-parent</artifactId>
|
|
<groupId>org.keycloak</groupId>
|
|
<version>3.4.0.CR1-SNAPSHOT</version>
|
|
<relativePath>../pom.xml</relativePath>
|
|
</parent>
|
|
<modelVersion>4.0.0</modelVersion>
|
|
|
|
<artifactId>keycloak-server-spi-private</artifactId>
|
|
<name>Keycloak Server Private SPI</name>
|
|
<description/>
|
|
|
|
<properties>
|
|
<maven.compiler.target>1.8</maven.compiler.target>
|
|
<maven.compiler.source>1.8</maven.compiler.source>
|
|
</properties>
|
|
|
|
<dependencies>
|
|
<dependency>
|
|
<groupId>org.keycloak</groupId>
|
|
<artifactId>keycloak-server-spi</artifactId>
|
|
<scope>provided</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.jboss.spec.javax.transaction</groupId>
|
|
<artifactId>jboss-transaction-api_1.2_spec</artifactId>
|
|
<scope>provided</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.jboss.resteasy</groupId>
|
|
<artifactId>resteasy-jaxrs</artifactId>
|
|
<scope>provided</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.bouncycastle</groupId>
|
|
<artifactId>bcprov-jdk15on</artifactId>
|
|
<scope>provided</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.bouncycastle</groupId>
|
|
<artifactId>bcpkix-jdk15on</artifactId>
|
|
<scope>provided</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.keycloak</groupId>
|
|
<artifactId>keycloak-core</artifactId>
|
|
<scope>provided</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.jboss.logging</groupId>
|
|
<artifactId>jboss-logging</artifactId>
|
|
<scope>provided</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.httpcomponents</groupId>
|
|
<artifactId>httpclient</artifactId>
|
|
<scope>provided</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.google.guava</groupId>
|
|
<artifactId>guava</artifactId>
|
|
<scope>provided</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>junit</groupId>
|
|
<artifactId>junit</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
</dependencies>
|
|
<build>
|
|
<plugins>
|
|
<plugin>
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
<artifactId>maven-compiler-plugin</artifactId>
|
|
<configuration>
|
|
<source>${maven.compiler.source}</source>
|
|
<target>${maven.compiler.target}</target>
|
|
</configuration>
|
|
</plugin>
|
|
</plugins>
|
|
</build>
|
|
|
|
</project>
|