Package org.keycloak.policy

Class BlacklistPasswordPolicyProviderFactory

java.lang.Object

org.keycloak.policy.BlacklistPasswordPolicyProviderFactory

All Implemented Interfaces:

PasswordPolicyProviderFactory, ProviderFactory<PasswordPolicyProvider>

public class BlacklistPasswordPolicyProviderFactory
extends Object
implements PasswordPolicyProviderFactory

Creates BlacklistPasswordPolicyProvider instances.

Password blacklists are simple text files where every line is a blacklisted password delimited by \n. Blacklist files are discovered and registered at startup.

Blacklists can be configured via the Authentication: Password Policy section in the admin-console. A blacklist-file is referred to by its name in the policy configuration.

Users can provide custom blacklists by adding a blacklist password file to the configured blacklist folder.

The location of the password-blacklists folder is derived as follows

1. the value of the System property keycloak.password.blacklists.path if configured - fails if folder is missing
2. the value of the SPI config property: blacklistsPath when explicitly configured - fails if folder is missing
3. otherwise ${jboss.server.data.dir}/password-blacklists/ if nothing else is configured - the folder is created automatically if not present

Note that the preferred way for configuration is to copy the password file to the ${jboss.server.data.dir}/password-blacklists/ folder

To configure a password blacklist via the SPI configuration, run the following jboss-cli script:

 /subsystem=keycloak-server/spi=password-policy:add()
 /subsystem=keycloak-server/spi=password-policy/provider=passwordBlacklist:add(enabled=true)
 /subsystem=keycloak-server/spi=password-policy/provider=passwordBlacklist:write-attribute(name=properties.blacklistsPath, value=/data/keycloak/blacklists/)
 

A password blacklist with the filename 10_million_password_list_top_1000000-password-blacklist.txt that is located beneath /data/keycloak/blacklists/ can be referred to as 10_million_password_list_top_1000000-password-blacklist.txt in the Authentication: Password Policy configuration.

Author:

Thomas Darimont

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	BlacklistPasswordPolicyProviderFactory.FileBasedPasswordBlacklist	A BlacklistPasswordPolicyProviderFactory.FileBasedPasswordBlacklist uses password-blacklist files as to construct a BlacklistPasswordPolicyProviderFactory.PasswordBlacklist.
static interface	BlacklistPasswordPolicyProviderFactory.PasswordBlacklist	A BlacklistPasswordPolicyProviderFactory.PasswordBlacklist describes a list of too easy to guess or potentially leaked passwords that users should not be able to use.

Field Summary

Fields

Modifier and Type	Field	Description
static String	BLACKLISTS_PATH_PROPERTY
static String	ID
static String	JBOSS_SERVER_DATA_DIR
static String	PASSWORD_BLACKLISTS_FOLDER
static String	SYSTEM_PROPERTY

Constructor Summary

Constructors

Constructor	Description
BlacklistPasswordPolicyProviderFactory()

Method Summary

Modifier and Type	Method	Description
void	close()
PasswordPolicyProvider	create(KeycloakSession session)
String	getConfigType()
String	getDefaultConfigValue()
String	getDisplayName()
String	getId()
void	init(Config.Scope config)
boolean	isMultiplSupported()
void	postInit(KeycloakSessionFactory factory)
BlacklistPasswordPolicyProviderFactory.PasswordBlacklist	resolvePasswordBlacklist(String blacklistName)	Resolves and potentially registers a BlacklistPasswordPolicyProviderFactory.PasswordBlacklist for the given blacklistName.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.provider.ProviderFactory

order

Field Detail

ID

public static final String ID

See Also:

Constant Field Values

SYSTEM_PROPERTY

public static final String SYSTEM_PROPERTY

See Also:

Constant Field Values

BLACKLISTS_PATH_PROPERTY

public static final String BLACKLISTS_PATH_PROPERTY

See Also:

Constant Field Values

JBOSS_SERVER_DATA_DIR

public static final String JBOSS_SERVER_DATA_DIR

See Also:

Constant Field Values

PASSWORD_BLACKLISTS_FOLDER

public static final String PASSWORD_BLACKLISTS_FOLDER

See Also:

Constant Field Values

Constructor Detail

BlacklistPasswordPolicyProviderFactory

public BlacklistPasswordPolicyProviderFactory()

Method Detail

create

public PasswordPolicyProvider create(KeycloakSession session)

Specified by:

create in interface ProviderFactory<PasswordPolicyProvider>

init

public void init(Config.Scope config)

Specified by:

init in interface ProviderFactory<PasswordPolicyProvider>

postInit

public void postInit(KeycloakSessionFactory factory)

Specified by:

postInit in interface ProviderFactory<PasswordPolicyProvider>

close

public void close()

Specified by:

close in interface ProviderFactory<PasswordPolicyProvider>

getDisplayName

public String getDisplayName()

Specified by:

getDisplayName in interface PasswordPolicyProviderFactory

getConfigType

public String getConfigType()

Specified by:

getConfigType in interface PasswordPolicyProviderFactory

getDefaultConfigValue

public String getDefaultConfigValue()

Specified by:

getDefaultConfigValue in interface PasswordPolicyProviderFactory

isMultiplSupported

public boolean isMultiplSupported()

Specified by:

isMultiplSupported in interface PasswordPolicyProviderFactory

getId

public String getId()

Specified by:

getId in interface ProviderFactory<PasswordPolicyProvider>

resolvePasswordBlacklist

public BlacklistPasswordPolicyProviderFactory.PasswordBlacklist resolvePasswordBlacklist(String blacklistName)

Resolves and potentially registers a BlacklistPasswordPolicyProviderFactory.PasswordBlacklist for the given blacklistName.

Parameters:

blacklistName -

Returns: