You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2019/04/10 16:39:03 UTC
[Bug 63336] Currently there is no way to know in form error page
that the user was not authenticated because it was locked out
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
This has been discussed previously and will not be implemented in Tomcat since
informing an attacker that an account has been locked is a (minor) security
vulnerability.
Users are free to extend Tomcat to provide this functionality in their apps if
they wish.
Requests to modify Tomcat to make this sort of extension easier are likely to
be looked on favourably - especially if patches are provided.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org