You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2021/10/15 13:06:31 UTC

[Bug 65635] New: Methods to return auth errors

https://bz.apache.org/bugzilla/show_bug.cgi?id=65635

            Bug ID: 65635
           Summary: Methods to return auth errors
           Product: Tomcat 10
           Version: 10.0.0
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Authentication
          Assignee: dev@tomcat.apache.org
          Reporter: werner.daehn@googlemail.com
  Target Milestone: ------

I am using FormBased login. If there is an error during login, tomcat redirects
to an error page and there I show a static text: "login failed".
But there is no way foreseen to tell the user why it failed. Sometimes you
don't want to, sometimes it is essential. I have seen quite a lot of questions
in that area in stack overflow, so it is nothing new.

Regarding the types of error, let me categorize them into four buckets:

1. username or password wrong: In this case we do not want to provide any
feedback for security ressons. A "username/password" wrong message is enough.

2. Issues with the IDP, e.g. the user database is down, network issues, too
many SQL connections open, .... all the infrastructure related issues.
Returning a static text would cause the user to retry, to change his password
or whatever. What he should do is calling IT to fix the infrastructure problem.
username/password is valid, it is just that it cannot be validated!

3. Login succeeds but a follow up action is needed. Password is flagged as
to-be-changed and a password-change dialog must be shown. Database is in
maintenance mode. This requires either a different page or additional feedback
to the error page in order to render the correct controls.

4. Issues with the Realm or its configuration. Realm implementation has a NPE.
Realm requires a setting but it is not provided. These are setup issues and
looking into the webserver logs is fine, although a user feedback might be
better still. Then the user would know it is not his fault.

It is my believe that the tomcat should provide(!) a mechanism to attach error
information to the error page in order to have the option to show different
things then. And it is the Realm developer's(!) decision what to return and
what is better hidden.

From an implementation point if view I would think it is easy to do as well,
without any backward compatibility issues. In the FormBasedRealm I would wrap
all authenticate() calls into try-catch-Throwable and attach the exception to
the redirect call. Either as URL parameter, better as a session variable. Per
my understanding a session exists already at that point in time.
Might be better to add IOExceptions to the Realm Interface but that would not
be backward compatible.

Also I would expose a logger object for all classes extending the RealmBase
class. Just to motivate people using it more.

Do you concur?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65635] Methods to return auth errors

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65635

--- Comment #2 from Michael Osipov <mi...@apache.org> ---
You want to go the users@ mailing list.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65635] Methods to return auth errors

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65635

--- Comment #5 from Werner Daehn <we...@googlemail.com> ---
I had that sitting as enhancement for more than a year without a single
comment.
Not returning proper error messages could be considered a bug, especially when
it is at something as important as security and when the fix is rather simple
(unless I am mistaken).

The changes I would do is a ...throws LoginException
https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/Realm.java#L83

and in
https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/authenticator/FormAuthenticator.java#L244

catch the exception and add it to forwardToErrorPage() as attribute.
I just do not feel qualified making the code changes with all the accompanying
processes myself. And obviously the other auth methods should take benefit as
as well.


I am just trying to help making tomcat better, not to create waves. Your
decision.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65635] Methods to return auth errors

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65635

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|critical                    |enhancement

--- Comment #4 from Mark Thomas <ma...@apache.org> ---
Restore correct severity. This is an enhancement request, not a bug.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65635] Methods to return auth errors

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65635

Werner Daehn <we...@googlemail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|enhancement                 |critical

--- Comment #1 from Werner Daehn <we...@googlemail.com> ---
I'd like to raise the priority on this as I feel it is a issue for almost all
web applications. People either accept it grudgingly or write their own
Filter/Valve bypassing all Tomcat security features and the flexibility they
provide.

Upon further digging, it seems you have faced the same problem. 
In the JAASRealm you catch all the different exceptions and swallow the
information.
https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/realm/JAASRealm.java#L441

If I am not mistaken, an easy and backward compatible solution would be to
allow all the version of `authenticate()` to throw exceptions. Best would be a
hierarchy of exceptions: LoginException --> LoginWithWarningException

These Exceptions are then used in the RealmBase to do different things.
Redirect to the error page with the exception details being attached. Redirect
to the target page but with the login warning information attached.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65635] Methods to return auth errors

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65635

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65635] Methods to return auth errors

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65635

--- Comment #3 from Werner Daehn <we...@googlemail.com> ---
Meaning what? Did I enter the bug wrong? Do you feel that this is a user
question and not a bug/limitation? 

I am not getting your point.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65635] Methods to return auth errors

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65635

Werner Daehn <we...@googlemail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All
                 CC|                            |werner.daehn@googlemail.com

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org