You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Freeman Fang (Commented) (JIRA)" <ji...@apache.org> on 2011/10/24 08:40:32 UTC
[jira] [Commented] (KARAF-956) jaas module should throw generic
FailedLoginException
[ https://issues.apache.org/jira/browse/KARAF-956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13133855#comment-13133855 ]
Freeman Fang commented on KARAF-956:
------------------------------------
commit fix
http://svn.apache.org/viewvc?rev=1188030&view=rev for trunk
http://svn.apache.org/viewvc?rev=1188029&view=rev for 2.2.x branch
the default behavior is not throw detailed message like "User does not exist" and "Password for " + user + " does not match" which might be used by malicious client, just a generic "login failed" message.
Can add detailed.login.exception = true
in etc/org.apache.karaf.jaas.cfg
to throw detailed message
> jaas module should throw generic FailedLoginException
> ------------------------------------------------------
>
> Key: KARAF-956
> URL: https://issues.apache.org/jira/browse/KARAF-956
> Project: Karaf
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Freeman Fang
>
> currently it always throw very detailed exception like
> throw new FailedLoginException("User does not exist");
> and
> throw new FailedLoginException("Password for " + user + " does not match");
> though it's very useful during development or debug, it can leak hint to malicious client, we need
> provide a configurable way to throw FailedLoginException with/without detailed message.
> Likely add a property in etc/org.apache.karaf.jaas.cfg, the default value is just throw very generic FailedLoginException without detailed message, this would be more safe for real productions env.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira