You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Mylene <my...@gmail.com> on 2011/01/07 12:36:29 UTC

Quickstart comment

Hi,
I was going through your quickstart documentation.  I like it, it
works as stated, but I'd like to give one security related comment.

The "advised" error message (You, as the application/GUI developer can
choose to show the end-user messages based on exceptions or not (for
example, "There is no account in the system with that username.").) is
IMHO not too well chosen.

If someone wants to hack an application, he (or she for that matter)
will easily find out what are valid accounts, and what not - if
someone follows this example - and people tend to do that...

just my 2 cents....

Mylene

Re: Quickstart comment

Posted by Alex Salazar <al...@alexsalazar.com>.

Hi Mylene,

Great point.  I've updated the quickstart.  It should show up on the site
next time confluence wiki gets exported.

Alex


On Fri, Jan 7, 2011 at 3:36 AM, Mylene <my...@gmail.com> wrote:

> Hi,
> I was going through your quickstart documentation.  I like it, it
> works as stated, but I'd like to give one security related comment.
>
> The "advised" error message (You, as the application/GUI developer can
> choose to show the end-user messages based on exceptions or not (for
> example, "There is no account in the system with that username.").) is
> IMHO not too well chosen.
>
> If someone wants to hack an application, he (or she for that matter)
> will easily find out what are valid accounts, and what not - if
> someone follows this example - and people tend to do that...
>
> just my 2 cents....
>
> Mylene
>