You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Hakim Sadikali (JIRA)" <ji...@apache.org> on 2009/11/18 17:56:43 UTC

[jira] Created: (SLING-1196) Sling Authentication - SlingAuthenticator hides LoginFailure reason

Sling Authentication - SlingAuthenticator hides LoginFailure reason
-------------------------------------------------------------------

                 Key: SLING-1196
                 URL: https://issues.apache.org/jira/browse/SLING-1196
             Project: Sling
          Issue Type: Improvement
          Components: Engine
    Affects Versions: Engine 2.0.6
            Reporter: Hakim Sadikali


The SlingAuthenticator does not provide the handler with the reason a login failed, it only logs the reason and proceeds to try again:

// request authentication information and send 403 (Forbidden)
            // if no handler can request authentication information.
            log.info("authenticate: Unable to authenticate: {}",
                reason.getMessage());
            log.debug("authenticate", reason);

            login(request, response);


Applications often want to provide more detailed information to the end user, username not found, password does not match username etc.   

An easy solution would be to put the LoginException in the request for the login handler to have access to it, and then remove it after the login handler has processed the request - works but not particularly elegant.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (SLING-1196) Sling Authentication - SlingAuthenticator hides LoginFailure reason

Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/SLING-1196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12903037#action_12903037 ] 

Felix Meschberger commented on SLING-1196:
------------------------------------------

Reconsidering, I am not sure, whether this has really any use because the information in the LoginException is not generally informative and second it is security-wise a bad idea to tell the user more than a generic "sorry, name/password do not match". Otherwise they might deduce that a user might exist and they just have to try more passwords.

> Sling Authentication - SlingAuthenticator hides LoginFailure reason
> -------------------------------------------------------------------
>
>                 Key: SLING-1196
>                 URL: https://issues.apache.org/jira/browse/SLING-1196
>             Project: Sling
>          Issue Type: Improvement
>          Components: Authentication
>            Reporter: Hakim Sadikali
>         Attachments: SlingAuthenticator.java
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> The SlingAuthenticator does not provide the handler with the reason a login failed, it only logs the reason and proceeds to try again:
> // request authentication information and send 403 (Forbidden)
>             // if no handler can request authentication information.
>             log.info("authenticate: Unable to authenticate: {}",
>                 reason.getMessage());
>             log.debug("authenticate", reason);
>             login(request, response);
> Applications often want to provide more detailed information to the end user, username not found, password does not match username etc.   
> An easy solution would be to put the LoginException in the request for the login handler to have access to it, and then remove it after the login handler has processed the request - works but not particularly elegant.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (SLING-1196) Sling Authentication - SlingAuthenticator hides LoginFailure reason

Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SLING-1196?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Felix Meschberger resolved SLING-1196.
--------------------------------------

      Assignee: Felix Meschberger
    Resolution: Won't Fix

So we resolve this issue as won't fix in light of the solution implemented with SLING-1783

> Sling Authentication - SlingAuthenticator hides LoginFailure reason
> -------------------------------------------------------------------
>
>                 Key: SLING-1196
>                 URL: https://issues.apache.org/jira/browse/SLING-1196
>             Project: Sling
>          Issue Type: Improvement
>          Components: Authentication
>            Reporter: Hakim Sadikali
>            Assignee: Felix Meschberger
>         Attachments: SlingAuthenticator.java
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> The SlingAuthenticator does not provide the handler with the reason a login failed, it only logs the reason and proceeds to try again:
> // request authentication information and send 403 (Forbidden)
>             // if no handler can request authentication information.
>             log.info("authenticate: Unable to authenticate: {}",
>                 reason.getMessage());
>             log.debug("authenticate", reason);
>             login(request, response);
> Applications often want to provide more detailed information to the end user, username not found, password does not match username etc.   
> An easy solution would be to put the LoginException in the request for the login handler to have access to it, and then remove it after the login handler has processed the request - works but not particularly elegant.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (SLING-1196) Sling Authentication - SlingAuthenticator hides LoginFailure reason

Posted by "Hakim Sadikali (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SLING-1196?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Hakim Sadikali updated SLING-1196:
----------------------------------

    Attachment: SlingAuthenticator.java

Patched the SlingAuthenticator to add functionality

> Sling Authentication - SlingAuthenticator hides LoginFailure reason
> -------------------------------------------------------------------
>
>                 Key: SLING-1196
>                 URL: https://issues.apache.org/jira/browse/SLING-1196
>             Project: Sling
>          Issue Type: Improvement
>          Components: Engine
>    Affects Versions: Engine 2.0.6
>            Reporter: Hakim Sadikali
>         Attachments: SlingAuthenticator.java
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> The SlingAuthenticator does not provide the handler with the reason a login failed, it only logs the reason and proceeds to try again:
> // request authentication information and send 403 (Forbidden)
>             // if no handler can request authentication information.
>             log.info("authenticate: Unable to authenticate: {}",
>                 reason.getMessage());
>             log.debug("authenticate", reason);
>             login(request, response);
> Applications often want to provide more detailed information to the end user, username not found, password does not match username etc.   
> An easy solution would be to put the LoginException in the request for the login handler to have access to it, and then remove it after the login handler has processed the request - works but not particularly elegant.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (SLING-1196) Sling Authentication - SlingAuthenticator hides LoginFailure reason

Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/SLING-1196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12779850#action_12779850 ] 

Felix Meschberger commented on SLING-1196:
------------------------------------------

Yes, makes sense, though I would not but the login exception as a whole but rather the message of the exception (which may well be null !).

> Sling Authentication - SlingAuthenticator hides LoginFailure reason
> -------------------------------------------------------------------
>
>                 Key: SLING-1196
>                 URL: https://issues.apache.org/jira/browse/SLING-1196
>             Project: Sling
>          Issue Type: Improvement
>          Components: Engine
>    Affects Versions: Engine 2.0.6
>            Reporter: Hakim Sadikali
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> The SlingAuthenticator does not provide the handler with the reason a login failed, it only logs the reason and proceeds to try again:
> // request authentication information and send 403 (Forbidden)
>             // if no handler can request authentication information.
>             log.info("authenticate: Unable to authenticate: {}",
>                 reason.getMessage());
>             log.debug("authenticate", reason);
>             login(request, response);
> Applications often want to provide more detailed information to the end user, username not found, password does not match username etc.   
> An easy solution would be to put the LoginException in the request for the login handler to have access to it, and then remove it after the login handler has processed the request - works but not particularly elegant.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (SLING-1196) Sling Authentication - SlingAuthenticator hides LoginFailure reason

Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SLING-1196?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Felix Meschberger updated SLING-1196:
-------------------------------------

    Affects Version/s:     (was: Engine 2.0.6)
          Component/s: Authentication
                           (was: Engine)

This is now an Auth Core issue.

> Sling Authentication - SlingAuthenticator hides LoginFailure reason
> -------------------------------------------------------------------
>
>                 Key: SLING-1196
>                 URL: https://issues.apache.org/jira/browse/SLING-1196
>             Project: Sling
>          Issue Type: Improvement
>          Components: Authentication
>            Reporter: Hakim Sadikali
>         Attachments: SlingAuthenticator.java
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> The SlingAuthenticator does not provide the handler with the reason a login failed, it only logs the reason and proceeds to try again:
> // request authentication information and send 403 (Forbidden)
>             // if no handler can request authentication information.
>             log.info("authenticate: Unable to authenticate: {}",
>                 reason.getMessage());
>             log.debug("authenticate", reason);
>             login(request, response);
> Applications often want to provide more detailed information to the end user, username not found, password does not match username etc.   
> An easy solution would be to put the LoginException in the request for the login handler to have access to it, and then remove it after the login handler has processed the request - works but not particularly elegant.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.