Hi,
I noticed from the commit message belonging to this issue, that the username
is logged to the logging service. From a security perspective this is
deprecated, because the user may well be not paying attention and
unintentionally have entered his password instead of his username.
Regards,
Denis Koelewijn
Modified:
trunk/amdatu-auth/login-service/src/main/java/org/amdatu/auth/login/service/service/LoginServiceImpl.java
Modified:
trunk/amdatu-auth/login-service/src/main/java/org/amdatu/auth/login/service/service/LoginServiceImpl.java
==============================================================================
---
trunk/amdatu-auth/login-service/src/main/java/org/amdatu/auth/login/service/service/LoginServiceImpl.java
(original)
+++
trunk/amdatu-auth/login-service/src/main/java/org/amdatu/auth/login/service/service/LoginServiceImpl.java
Tue Oct 4 16:06:48 2011
@@ -208,13 +208,13 @@
else {
m_logService.log(LogService.LOG_INFO, "Incorrect
password provided for user '" + username + "'");
jsonObject.append("result", "failed");
- jsonObject.append("msg", "Password is incorrect");
+ jsonObject.append("msg", "Incorrect username or
password");
}
}
else {
m_logService.log(LogService.LOG_INFO, "Username '" +
username + "' unknown");
jsonObject.append("result", "failed");
- jsonObject.append("msg", "Username is unknown");
+ jsonObject.append("msg", "Incorrect username or password");
}
}
catch (JSONException e) {
On Tue, Oct 4, 2011 at 16:06, Ivo Ladage - van Doorn (Resolved) (JIRA) <
[email protected]> wrote:
>
> [
> http://jira.amdatu.org/jira/browse/AMDATUAUTH-94?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel]
>
> Ivo Ladage - van Doorn resolved AMDATUAUTH-94.
> ----------------------------------------------
>
> Assignee: Ivo Ladage - van Doorn
> Resolution: Fixed
>
> done
>
> > LoginServiceImpl not reveal detailed error messages
> > ---------------------------------------------------
> >
> > Key: AMDATUAUTH-94
> > URL: http://jira.amdatu.org/jira/browse/AMDATUAUTH-94
> > Project: Amdatu Auth
> > Issue Type: Bug
> > Components: Authorization & authentication
> > Reporter: Arthur Meijer
> > Assignee: Ivo Ladage - van Doorn
> > Fix For: 0.2.1
> >
> >
> > The LoginServiceImpl returns different error messages for different
> scenarios.
> > "Password is incorrect" or "Username is unknown"
> > This should be replaced to "Login failed" for all error situations.
>
> --
> This message is automatically generated by JIRA.
> If you think it was sent incorrectly, please contact your JIRA
> administrators:
> http://jira.amdatu.org/jira/secure/ContactAdministrators!default.jspa
> For more information on JIRA, see: http://www.atlassian.com/software/jira
>
>
> _______________________________________________
> Amdatu-developers mailing list
> [email protected]
> http://lists.amdatu.org/mailman/listinfo/amdatu-developers
>
_______________________________________________
Amdatu-developers mailing list
[email protected]
http://lists.amdatu.org/mailman/listinfo/amdatu-developers
