Re: [Acegisecurity-developer] knowledge of valid username but incorrect password

[Matthew E. Porter]

One small piece of advice - Set something up to prevent users from  
entering their username as passwords.

The sad fact is that the industry has billions of lines of code and  
the weakest element is Susie in HR who writes her password down on a  
Post-It note attached to her monitor.


Cheers,
  Matthew

On Dec 7, 2005, at 11:46 AM, Trent wrote:

Thanks Ray, I've looked into the code and this looks like the place to
start...I'm just a developer; orders take precedence over the evil- 
doers.


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On  
Behalf Of
Ray Krueger
Sent: Wednesday, December 07, 2005 9:58 AM
To: acegisecurity-developer@lists.sourceforge.net
Subject: Re: [Acegisecurity-developer] knowledge of valid username but
incorrect password

You can set the hideUserNotFoundExceptions property on the
AuthenticationDaoProvider to false.

Keep in mind that you are giving hackers a hint by doing that though.
You are telling any potential evil-doers "Well, you guesed correctly
on a username, now just guess the password".

On 12/7/05, Trent <[EMAIL PROTECTED]> wrote:
Currently we have ACEGI authenticating a web app. However I need  
to change
some current behavior. Right now if a user enters a correct  
username but
incorrect password the error is the same as a user passing an  
incorrect
username. I need to find out how Acegi can notify the application  
that the
username is correct but the password isn't. Could someone point me  
in the
right direction on how to do this?

Trent


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through  
log
files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD  
SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through  
log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD  
SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=ick
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through  
log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD  
SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer