KeyCloak自定义蛮力检测
我试图弄清楚可以在KeyCloak中创建自定义的蛮力检测吗?逻辑表明它们不符合要求,因此我必须扩展或创建自己的提供商。 例如,我需要的是X登录尝试失败后,应将用户阻止X分钟。用户解锁并再次失败后,我想指定y时间。在KeyCloak中,目前,该用户的X值将是相同的X值,因为他们有一些算法可以计算等待时间: 等待时间 *(countoffailures / maxfailures)该部门是一个整数划分到整数
,如果我设定10分钟,则最大第一个失败将是10分钟的失败,那么六分钟将是20分钟。
I am trying to figure out it is possible to create custom brute force detection in Keycloak? Logic that they have doesn't match requirements so I have to extend or create my own provider.
For example what I need is after X failed login attempts, user should be blocked X minutes. After user get unlocked and again failed I want to specify Y time. In Keycloak currently it going to be the same X value for that user because they have some algorithm to calculate wait time:
wait time * (countOfFailures / maxFailures) The division is an integer division rounded down to a whole number
and if i set 10 min max first 5 fails will be 10min fail, then on six one will be 20min.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我在此主题中由Quarkus KeyCloak 21.0.2进行了实验。
我们定制了LoginFormsSpi的Freemarker提供商。
keycloak.conf->
通过BruteForceProtector,它行不通!
我发现KeyCloak无法决定应使用哪种植入。
KeyCloak在 defaultKeyCloakSessionFactory.CheckProvider
,如果提供商包含“默认值”第一个解决方案工作,
。 3.-D解决方案工作。
如果您的提供商的订单方法返回> 0比您的提供商获胜
I have experimentalized by Quarkus Keycloak 21.0.2 in this theme.
We customized LoginFormsSpi's Freemarker provider.
keycloak.conf->
By BruteForceProtector it doesn't works!
I found that keycloak can't decide which implemetation should use.
Keycloak decide it in DefaultKeycloakSessionFactory.checkProvider
The first solution work's.
The 3.-d solution work's.
If your provider's order method return >0 than your provider wins
KeyCloak拥有一个名为
org.keycloak.services.managers.bruteforceprotectorspi您可以实现的SPI,但它在server> server> server> server> server-spi-private模块中由KeyCloak本身而不是扩展。我从未尝试过实现该模块的SPI。它可能根本不起作用,或者即使您设法使其正常工作,界面和使用方式可能会在未来版本中更改,而无需任何通知。编辑:
请记住,如果您要覆盖这样的服务提供商(KeyCloak期望一次仅具有一个IT活动的实例),则应在KeyCloak子系统下的Wildfly配置中定义它(我不喜欢't知道如何在最近的Quarkus版本中执行此操作,但是您可以理解这个想法),然后将其设置为默认提供商。这是我想添加自定义
localeSelector提供商时所做的事情:Keycloak has an SPI named
org.keycloak.services.managers.BruteForceProtectorSpithat you can implement but it's in theserver-spi-privatemodule which means it supposed to be used only by the Keycloak itself and not for being extended. I have never tried to implement an SPI of that module. It may not work at all or even if you manage to make it work, the interface and the way it's used may change in future versions without any notice.EDIT:
Remember if you're overwriting such a service provider (that Keycloak expect to have only one instance of it active at a time), you should define it in the WildFly configuration under keycloak subsystem (I don't know how to do it in the recent Quarkus versions, but you get the idea) and then set it as default provider. Here is what I did when I wanted to add a custom
LocaleSelectorprovider:解决方案
我刚刚创建了以下类:
然后在以下方式中指定它们:
meta-inf / services
,最后我们需要指定默认的protector spi :( standalone-ha.xml),
然后在服务器信息 /提供商下方,能够看到您的蛮力保护者:
SOLUTION
I just created these classes:
Then specify them in:
META-INF/services
And on the end we need to specify default Protector SPI: (standalone-ha.xml)
Then under the Server Info / Providers you are be able to see just your brute force protector:
