You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/03/14 21:01:44 UTC

DO NOT REPLY [Bug 18004] - JDBCRealm.authenticate() eats SQLExceptions and should not

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18004>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18004

JDBCRealm.authenticate() eats SQLExceptions and should not





------- Additional Comments From craig.mcclanahan@sun.com  2003-03-14 20:01 -------
The only place that the actual cause of such a problem should show up is in the
log files -- telling the user what the actual problem was just opens your app up
to security attacks.  Good security design says that the result of an "are you
authenticated" question is a yes or no, with no further information available to
potential attackers.

I'm not an active Tomcat committer at the moment, but I strongly argue for a
WONTFIX resolution on this one.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org