Skip to content
Permalink
Browse files Browse the repository at this point in the history
KEYCLOAK-14872 CL DoS
- read-timetout of the HTTP listener set to 30000 ms
- read-timetout of the HTTPS listener set to 30000 ms
- max-pool-size of the KeycloakDS datasource set to 100 connections
  • Loading branch information
tkyjovsk authored and stianst committed Aug 21, 2020
1 parent c740ec4 commit bee4ca8
Show file tree
Hide file tree
Showing 6 changed files with 85 additions and 2 deletions.
Expand Up @@ -695,6 +695,26 @@ if (result != fixed) of /profile=$clusteredProfile/subsystem=keycloak-server/spi
end-try
end-if

# Migrate from 8.0.0 to 9.0.5

if (result == 120000 || result == undefined) of /profile=$clusteredProfile/subsystem=undertow/server=default-server/http-listener=default/:read-attribute(name=read-timeout)
echo Updating value of http listener read-timeout.
/profile=$clusteredProfile/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=read-timeout,value=30000)
echo
end-if

if (result == 120000 || result == undefined) of /profile=$clusteredProfile/subsystem=undertow/server=default-server/https-listener=https/:read-attribute(name=read-timeout)
echo Updating value of https listener read-timeout.
/profile=$clusteredProfile/subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=read-timeout,value=30000)
echo
end-if

if (result == 20 || result == undefined) of /profile=$clusteredProfile/subsystem=datasources/data-source=KeycloakDS/:read-attribute(name=max-pool-size)
echo Updating value of datasource max-pool-size.
/profile=$clusteredProfile/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=max-pool-size,value=100)
echo
end-if

# Migrate from 10.0.2 to 11.0.0 (migration changes for infinispan update from 9.4.18.Final to 10.1.8.Final)

if (result != org.keycloak.keycloak-model-infinispan) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak:read-attribute(name=module)
Expand Down
Expand Up @@ -596,6 +596,26 @@ if (result != fixed) of /profile=$standaloneProfile/subsystem=keycloak-server/sp
end-try
end-if

# Migrate from 8.0.0 to 9.0.5

if (result == 120000 || result == undefined) of /profile=$standaloneProfile/subsystem=undertow/server=default-server/http-listener=default/:read-attribute(name=read-timeout)
echo Updating value of http listener read-timeout.
/profile=$standaloneProfile/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=read-timeout,value=30000)
echo
end-if

if (result == 120000 || result == undefined) of /profile=$standaloneProfile/subsystem=undertow/server=default-server/https-listener=https/:read-attribute(name=read-timeout)
echo Updating value of https listener read-timeout.
/profile=$standaloneProfile/subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=read-timeout,value=30000)
echo
end-if

if (result == 20 || result == undefined) of /profile=$standaloneProfile/subsystem=datasources/data-source=KeycloakDS/:read-attribute(name=max-pool-size)
echo Updating value of datasource max-pool-size.
/profile=$standaloneProfile/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=max-pool-size,value=100)
echo
end-if

# Migrate from 10.0.2 to 11.0.0 (migration changes for infinispan update from 9.4.18.Final to 10.1.8.Final)

if (result != org.keycloak.keycloak-model-infinispan) of /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak:read-attribute(name=module)
Expand Down
Expand Up @@ -774,6 +774,26 @@ if (result != fixed) of /subsystem=keycloak-server/spi=hostname/:read-attribute(
end-try
end-if

# Migrate from 8.0.0 to 9.0.5

if (result == 120000 || result == undefined) of /subsystem=undertow/server=default-server/http-listener=default/:read-attribute(name=read-timeout)
echo Updating value of http listener read-timeout.
/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=read-timeout,value=30000)
echo
end-if

if (result == 120000 || result == undefined) of /subsystem=undertow/server=default-server/https-listener=https/:read-attribute(name=read-timeout)
echo Updating value of https listener read-timeout.
/subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=read-timeout,value=30000)
echo
end-if

if (result == 20 || result == undefined) of /subsystem=datasources/data-source=KeycloakDS/:read-attribute(name=max-pool-size)
echo Updating value of datasource max-pool-size.
/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=max-pool-size,value=100)
echo
end-if

# Migrate from 10.0.2 to 11.0.0 (migration changes for infinispan update from 9.4.18.Final to 10.1.8.Final)

if (result != org.keycloak.keycloak-model-infinispan) of /subsystem=infinispan/cache-container=keycloak:read-attribute(name=module)
Expand Down
Expand Up @@ -639,6 +639,26 @@ if (result != fixed) of /subsystem=keycloak-server/spi=hostname/:read-attribute(
end-try
end-if

# Migrate from 8.0.0 to 9.0.5

if (result == 120000 || result == undefined) of /subsystem=undertow/server=default-server/http-listener=default/:read-attribute(name=read-timeout)
echo Updating value of http listener read-timeout.
/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=read-timeout,value=30000)
echo
end-if

if (result == 120000 || result == undefined) of /subsystem=undertow/server=default-server/https-listener=https/:read-attribute(name=read-timeout)
echo Updating value of https listener read-timeout.
/subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=read-timeout,value=30000)
echo
end-if

if (result == 20 || result == undefined) of /subsystem=datasources/data-source=KeycloakDS/:read-attribute(name=max-pool-size)
echo Updating value of datasource max-pool-size.
/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=max-pool-size,value=100)
echo
end-if

# Migrate from 10.0.2 to 11.0.0 (migration changes for infinispan update from 9.4.18.Final to 10.1.8.Final)

if (result != org.keycloak.keycloak-model-infinispan) of /subsystem=infinispan/cache-container=keycloak:read-attribute(name=module)
Expand Down
Expand Up @@ -36,6 +36,9 @@
<user-name>sa</user-name>
<password>sa</password>
</security>
<pool>
<max-pool-size>100</max-pool-size>
</pool>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
Expand Down
Expand Up @@ -28,8 +28,8 @@
<buffer-cache name="default"/>
<server name="default-server">
<?AJP?>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" read-timeout="30000"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" read-timeout="30000"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
Expand Down

0 comments on commit bee4ca8

Please sign in to comment.