You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2023/01/12 07:46:47 UTC

[Bug 65635] Methods to return auth errors

https://bz.apache.org/bugzilla/show_bug.cgi?id=65635

Werner Daehn <we...@googlemail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|enhancement                 |critical

--- Comment #1 from Werner Daehn <we...@googlemail.com> ---
I'd like to raise the priority on this as I feel it is a issue for almost all
web applications. People either accept it grudgingly or write their own
Filter/Valve bypassing all Tomcat security features and the flexibility they
provide.

Upon further digging, it seems you have faced the same problem. 
In the JAASRealm you catch all the different exceptions and swallow the
information.
https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/realm/JAASRealm.java#L441

If I am not mistaken, an easy and backward compatible solution would be to
allow all the version of `authenticate()` to throw exceptions. Best would be a
hierarchy of exceptions: LoginException --> LoginWithWarningException

These Exceptions are then used in the RealmBase to do different things.
Redirect to the error page with the exception details being attached. Redirect
to the target page but with the login warning information attached.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org