[OT] Error Messages using standard security constraint?

[Mick Knutson <mi...@hotmail.com>]

I am using the standard web.xml security constraint with JBoss, and if a
user enters a wrong username and/or password, there is not an error message
generated to tell about the error. I just get the same logon form page. How
do I add an error message in the struts manner?

---
Thanks
Mick Knutson

coming soon:
Your SOS: Your personal emergency contact system.
http://YourSos.com

+001(805) 563-0666 Office
+001 (708) 570-2772 Fax
---

---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org

Re: [OT] Error Messages using standard security constraint?

[Max Cooper <ma...@maxcooper.com>]

Do you have the <form-error-page> set to something different than the
<form-login-page>? That is the normal means to inform the user that
something was wrong with the username/password combo they typed in. Of then
the <form-error-page> is nearly identical to the form-login-page, except
that a "bad username/password combination" error message is displayed. But
you are free (and responsible for) creating both pages, and thus have full
control over their appearance.

The same error is typically displayed no matter what was wrong with the
username/password the user supplied. It may be attractive to be able to tell
them that the username they enetered does not exist in the system, or that
the username was good but the password was wrong, etc. But be aware that
providing such messages has some security cost. If someone is trying to
break in, they can use that information to find a real account and then just
focus on choosing the right password. If they get the same "it didn't work"
message for each failed attempt no matter what wa wrong with it, they won't
even know if they are trying to get into a valid user account.

If you do wish to provide more informative error messages, you can have the
form-error-page get the j_username and j_password from the request (this
typically works, though I am not sure it is guaranteed to work on all
containers) and use that information to figure out what went wrong. The
results of that check can be used to provide a more descriptive error
message.

-Max

----- Original Message ----- 
From: "Mick Knutson" <mi...@hotmail.com>
To: "struts" <st...@jakarta.apache.org>
Sent: Sunday, September 28, 2003 12:13 PM
Subject: [OT] Error Messages using standard security constraint?


> I am using the standard web.xml security constraint with JBoss, and if a
> user enters a wrong username and/or password, there is not an error
message
> generated to tell about the error. I just get the same logon form page.
How
> do I add an error message in the struts manner?
>
> ---
> Thanks
> Mick Knutson
>
> coming soon:
> Your SOS: Your personal emergency contact system.
> http://YourSos.com
>
> +001(805) 563-0666 Office
> +001 (708) 570-2772 Fax
> ---
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org