You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2019/04/10 16:39:03 UTC

[Bug 63336] Currently there is no way to know in form error page that the user was not authenticated because it was locked out

https://bz.apache.org/bugzilla/show_bug.cgi?id=63336

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
This has been discussed previously and will not be implemented in Tomcat since
informing an attacker that an account has been locked is a (minor) security
vulnerability.

Users are free to extend Tomcat to provide this functionality in their apps if
they wish.

Requests to modify Tomcat to make this sort of extension easier are likely to
be looked on favourably - especially if patches are provided.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org