You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Garoad <eh...@gmail.com> on 2010/11/24 18:55:05 UTC
Exception types thrown during login using ActiveDirectoryRealm
In a small test example I threw together I noticed that when using the
ActiveDirectoryRealm, only AuthenticationException ever seems to get thrown,
regardless of what the issue was. In other words, I believe I recall (when
I was using something other than AD) seeing IncorrectCredentialsException,
or LockedAccountException, and so on (depending on the issue). But it seems
once I switched over to AD, I only get AuthenticationException. What could
be the reason(s)?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Exception-types-thrown-during-login-using-ActiveDirectoryRealm-tp5771260p5771260.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Exception types thrown during login using ActiveDirectoryRealm
Posted by Les Hazlewood <lh...@apache.org>.
If anyone is up for implementing this, please open a Jira issue and
provide a patch. They're always welcome!
Best,
Les
On Wed, Nov 24, 2010 at 12:07 PM, Garoad <eh...@gmail.com> wrote:
>
> Yeah, I'm aware of the reasoning for not bothering with providing such
> feedback to enhance security, so I totally understand why the feature isn't
> there. I only ask about it for a few minor reasons: debugging purposes,
> logging/reporting purposes (for high-security requirement apps) and
> low-security requirement applications that care more about convenience than
> strict security.
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Exception-types-thrown-during-login-using-ActiveDirectoryRealm-tp5771260p5771878.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Exception types thrown during login using ActiveDirectoryRealm
Posted by Garoad <eh...@gmail.com>.
Yeah, I'm aware of the reasoning for not bothering with providing such
feedback to enhance security, so I totally understand why the feature isn't
there. I only ask about it for a few minor reasons: debugging purposes,
logging/reporting purposes (for high-security requirement apps) and
low-security requirement applications that care more about convenience than
strict security.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Exception-types-thrown-during-login-using-ActiveDirectoryRealm-tp5771260p5771878.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Exception types thrown during login using ActiveDirectoryRealm
Posted by Les Hazlewood <lh...@apache.org>.
The Realm implementations are responsible for throwing a specific
implementation to indicate why something failed.
The ActiveDirectory implementation (through it's parent class
'doGetAuthenticationInfo' implementation) merely wraps any thrown
javax.naming.AuthenticationException or NamingException with a generic
Shiro AuthenticationException indicating the failure.
This is because javax.naming.AuthenticationException thrown when using
JNDI doesn't give us a type-safe explanation of why it was thrown.
You'd need an exception 'translator' of sorts that could read the
javax.naming.AuthenticationException's 'explanation' String and
convert that into a more specific Shiro type-safe
AuthenticationException instance.
It is a general practice to not give an end-user much information as
to why their authentication attempt failed (e.g. 'Username or password
incorrect.' is sufficient for most apps), because doing so could give
a potential attacker more information on how to attack the system.
Since most people prefer this more 'general' approach to showing login
failures, no one has gone through the effort yet to create the
exception 'translator'. Patches are always welcome of course!
Best,
--
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com
On Wed, Nov 24, 2010 at 9:55 AM, Garoad <eh...@gmail.com> wrote:
>
> In a small test example I threw together I noticed that when using the
> ActiveDirectoryRealm, only AuthenticationException ever seems to get thrown,
> regardless of what the issue was. In other words, I believe I recall (when
> I was using something other than AD) seeing IncorrectCredentialsException,
> or LockedAccountException, and so on (depending on the issue). But it seems
> once I switched over to AD, I only get AuthenticationException. What could
> be the reason(s)?
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Exception-types-thrown-during-login-using-ActiveDirectoryRealm-tp5771260p5771260.html
> Sent from the Shiro User mailing list archive at Nabble.com