You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Freeman Fang (Created) (JIRA)" <ji...@apache.org> on 2011/10/24 05:44:32 UTC
[jira] [Created] (KARAF-956) jaas module should throw generic
FailedLoginException
jaas module should throw generic FailedLoginException
------------------------------------------------------
Key: KARAF-956
URL: https://issues.apache.org/jira/browse/KARAF-956
Project: Karaf
Issue Type: Improvement
Reporter: Freeman Fang
Assignee: Freeman Fang
currently it always throw very detailed exception like
throw new FailedLoginException("User does not exist");
and
throw new FailedLoginException("Password for " + user + " does not match");
though it's very useful during development or debug, it can leak hint to malicious client, we need
provide a configurable way to throw FailedLoginException with/without detailed message.
Likely add a property in etc/org.apache.karaf.jaas.cfg, the default value is just throw very generic FailedLoginException without detailed message, this would be more safe for real productions env.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (KARAF-956) jaas module should throw generic
FailedLoginException
Posted by "Freeman Fang (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13133855#comment-13133855 ]
Freeman Fang commented on KARAF-956:
------------------------------------
commit fix
http://svn.apache.org/viewvc?rev=1188030&view=rev for trunk
http://svn.apache.org/viewvc?rev=1188029&view=rev for 2.2.x branch
the default behavior is not throw detailed message like "User does not exist" and "Password for " + user + " does not match" which might be used by malicious client, just a generic "login failed" message.
Can add detailed.login.exception = true
in etc/org.apache.karaf.jaas.cfg
to throw detailed message
> jaas module should throw generic FailedLoginException
> ------------------------------------------------------
>
> Key: KARAF-956
> URL: https://issues.apache.org/jira/browse/KARAF-956
> Project: Karaf
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Freeman Fang
>
> currently it always throw very detailed exception like
> throw new FailedLoginException("User does not exist");
> and
> throw new FailedLoginException("Password for " + user + " does not match");
> though it's very useful during development or debug, it can leak hint to malicious client, we need
> provide a configurable way to throw FailedLoginException with/without detailed message.
> Likely add a property in etc/org.apache.karaf.jaas.cfg, the default value is just throw very generic FailedLoginException without detailed message, this would be more safe for real productions env.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (KARAF-956) jaas module should throw generic
FailedLoginException
Posted by "Freeman Fang (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-956?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Freeman Fang resolved KARAF-956.
--------------------------------
Resolution: Fixed
Fix Version/s: 3.0.0
2.2.5
> jaas module should throw generic FailedLoginException
> ------------------------------------------------------
>
> Key: KARAF-956
> URL: https://issues.apache.org/jira/browse/KARAF-956
> Project: Karaf
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Freeman Fang
> Fix For: 2.2.5, 3.0.0
>
>
> currently it always throw very detailed exception like
> throw new FailedLoginException("User does not exist");
> and
> throw new FailedLoginException("Password for " + user + " does not match");
> though it's very useful during development or debug, it can leak hint to malicious client, we need
> provide a configurable way to throw FailedLoginException with/without detailed message.
> Likely add a property in etc/org.apache.karaf.jaas.cfg, the default value is just throw very generic FailedLoginException without detailed message, this would be more safe for real productions env.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Work started] (KARAF-956) jaas module should throw generic
FailedLoginException
Posted by "Freeman Fang (Work started) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-956?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on KARAF-956 started by Freeman Fang.
> jaas module should throw generic FailedLoginException
> ------------------------------------------------------
>
> Key: KARAF-956
> URL: https://issues.apache.org/jira/browse/KARAF-956
> Project: Karaf
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Freeman Fang
>
> currently it always throw very detailed exception like
> throw new FailedLoginException("User does not exist");
> and
> throw new FailedLoginException("Password for " + user + " does not match");
> though it's very useful during development or debug, it can leak hint to malicious client, we need
> provide a configurable way to throw FailedLoginException with/without detailed message.
> Likely add a property in etc/org.apache.karaf.jaas.cfg, the default value is just throw very generic FailedLoginException without detailed message, this would be more safe for real productions env.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (KARAF-956) jaas module should throw generic
FailedLoginException
Posted by "Jamie goodyear (Closed) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-956?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jamie goodyear closed KARAF-956.
--------------------------------
> jaas module should throw generic FailedLoginException
> ------------------------------------------------------
>
> Key: KARAF-956
> URL: https://issues.apache.org/jira/browse/KARAF-956
> Project: Karaf
> Issue Type: Improvement
> Reporter: Freeman Fang
> Assignee: Freeman Fang
> Fix For: 2.2.5, 3.0.0
>
>
> currently it always throw very detailed exception like
> throw new FailedLoginException("User does not exist");
> and
> throw new FailedLoginException("Password for " + user + " does not match");
> though it's very useful during development or debug, it can leak hint to malicious client, we need
> provide a configurable way to throw FailedLoginException with/without detailed message.
> Likely add a property in etc/org.apache.karaf.jaas.cfg, the default value is just throw very generic FailedLoginException without detailed message, this would be more safe for real productions env.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira