diff --git a/services/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java b/services/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java
index b477c9c..d3d9b60 100644
--- a/services/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java
+++ b/services/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java
@@ -64,7 +64,7 @@ public class Pbkdf2PasswordHashProvider implements PasswordHashProviderFactory,
@Override
public boolean policyCheck(PasswordPolicy policy, CredentialModel credential) {
- return credential.getHashIterations() == policy.getHashIterations() && PBKDF2_ALGORITHM.equals(credential.getAlgorithm());
+ return credential.getHashIterations() == policy.getHashIterations() && ID.equals(credential.getAlgorithm());
}
@Override
diff --git a/services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtector.java b/services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtector.java
index 67d3dc9..2e809d1 100644
--- a/services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtector.java
+++ b/services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtector.java
@@ -53,19 +53,6 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
protected LinkedBlockingQueue<LoginEvent> queue = new LinkedBlockingQueue<LoginEvent>();
public static final int TRANSACTION_SIZE = 20;
- public static volatile int markNotBefore = -1;
- public static volatile int markCheck = -1;
- public static volatile int testCount = 0;
- public static volatile int clearCount = 0;
- public static volatile int nullFailureCount = 0;
- public static volatile int logFailureCalled = 0;
- public static volatile int logFailure = 0;
- public static volatile int didntWait = 0;
- public static volatile int exception = 0;
- public static volatile Exception exceptionObject = null;
- public static volatile String notFoundUserId = null;
-
-
protected abstract class LoginEvent implements Comparable<LoginEvent> {
protected final String realmId;
protected final String userId;
@@ -103,7 +90,6 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
public void failure(KeycloakSession session, LoginEvent event) {
logger.debug("failure");
- logFailureCalled++;
RealmModel realm = getRealmModel(session, event);
logFailure(event);
@@ -111,7 +97,6 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
UserModel user = session.users().getUserById(userId, realm);
UserLoginFailureModel userLoginFailure = getUserModel(session, event);
if (user != null) {
- logFailure++;
if (userLoginFailure == null) {
userLoginFailure = session.sessions().addUserLoginFailure(realm, userId);
}
@@ -126,7 +111,6 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
if (deltaTime > 0) {
// if last failure was more than MAX_DELTA clear failures
if (deltaTime > (long) realm.getMaxDeltaTimeSeconds() * 1000L) {
- clearCount++;
userLoginFailure.clearFailures();
}
}
@@ -147,12 +131,8 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
waitSeconds = Math.min(realm.getMaxFailureWaitSeconds(), waitSeconds);
int notBefore = (int) (currentTime / 1000) + waitSeconds;
logger.debugv("set notBefore: {0}", notBefore);
- markNotBefore = notBefore;
userLoginFailure.setFailedLoginNotBefore(notBefore);
}
- } else {
- notFoundUserId = event.userId;
-
}
}
@@ -210,8 +190,6 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
}
session.getTransactionManager().commit();
} catch (Exception e) {
- exception++;
- exceptionObject = e;
session.getTransactionManager().rollback();
throw e;
} finally {
@@ -258,13 +236,8 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
// wait a minimum of seconds for type to process so that a hacker
// cannot flood with failed logins and overwhelm the queue and not have notBefore updated to block next requests
// todo failure HTTP responses should be queued via async HTTP
- boolean awaited =
- event.latch.await(5, TimeUnit.SECONDS);
- if (!awaited) {
- didntWait++;
- }
+ event.latch.await(5, TimeUnit.SECONDS);
} catch (InterruptedException e) {
- didntWait++;
}
logger.trace("sent failure event");
}
@@ -274,19 +247,12 @@ public class DefaultBruteForceProtector implements Runnable, BruteForceProtector
UserLoginFailureModel failure = session.sessions().getUserLoginFailure(realm, user.getId());
if (failure != null) {
- int currTime = markCheck = (int) (Time.currentTimeMillis() / 1000);
+ int currTime = (int) (Time.currentTimeMillis() / 1000);
int failedLoginNotBefore = failure.getFailedLoginNotBefore();
- testCount++;
if (currTime < failedLoginNotBefore) {
logger.debugv("Current: {0} notBefore: {1}", currTime, failedLoginNotBefore);
return true;
- } else if (failedLoginNotBefore > 0){
- logger.debugv("failedLoginNotBefore > 0 Current: {0} notBefore: {1}", currTime, failedLoginNotBefore);
}
- } else {
- logger.debugv("failure was null");
- nullFailureCount++;
-
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java
index f8fbb91..31c297f 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java
@@ -173,7 +173,6 @@ public class BruteForceTest extends TestRealmKeycloakTest {
@Test
public void testGrantInvalidOtp() throws Exception {
- clearVariables();
{
String totpSecret = totp.generateTOTP("totpSecret");
OAuthClient.AccessTokenResponse response = getTestToken("password", totpSecret);
@@ -215,40 +214,14 @@ public class BruteForceTest extends TestRealmKeycloakTest {
}
- public void clearVariables() {
- DefaultBruteForceProtector.testCount = 0;
- DefaultBruteForceProtector.markNotBefore = -1;
- DefaultBruteForceProtector.markCheck = -1;
- DefaultBruteForceProtector.testCount = 0;
- DefaultBruteForceProtector.clearCount = 0;
- DefaultBruteForceProtector.logFailure = 0;
- DefaultBruteForceProtector.logFailureCalled = 0;
- DefaultBruteForceProtector.didntWait = 0;
- DefaultBruteForceProtector.nullFailureCount = 0;
- DefaultBruteForceProtector.notFoundUserId = null;
- }
-
public void assertTokenNull(OAuthClient.AccessTokenResponse response) {
- if (response.getAccessToken() != null) {
- if (DefaultBruteForceProtector.exceptionObject != null) {
- DefaultBruteForceProtector.exceptionObject.printStackTrace();
- }
- }
- Assert.assertNull("was mark set: " + DefaultBruteForceProtector.markNotBefore + " time test: " + DefaultBruteForceProtector.markCheck
- + " test count " + DefaultBruteForceProtector.testCount
- + " nullFailure: " + DefaultBruteForceProtector.nullFailureCount
- + " logFailureCalled: " + DefaultBruteForceProtector.logFailureCalled
- + " logFailure: " + DefaultBruteForceProtector.logFailure
- + " notFoundUserId: " + DefaultBruteForceProtector.notFoundUserId
- + " exception: " + DefaultBruteForceProtector.exception
- , response.getAccessToken());
+ Assert.assertNull(response.getAccessToken());
}
@Test
public void testGrantMissingOtp() throws Exception {
- clearVariables();
{
String totpSecret = totp.generateTOTP("totpSecret");
OAuthClient.AccessTokenResponse response = getTestToken("password", totpSecret);
