[jira] Resolved: (DIRSERVER-640) bring error hints from CustomAuthenticators extending AbstractAuthenticator back to the client.

Tue, 01 Jun 2010 16:44:03 -0700 

     [ 
https://issues.apache.org/jira/browse/DIRSERVER-640?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Emmanuel Lecharny resolved DIRSERVER-640.
-----------------------------------------

    Resolution: Won't Fix

Providing more information is a potential security breach. Enough to say that 
the authent failed, no need to tell the user why (ie, if we tell him that the 
credentials are not correct, then that implies the user name exists)

> bring error hints from CustomAuthenticators extending AbstractAuthenticator 
> back to the client.
> -----------------------------------------------------------------------------------------------
>
>                 Key: DIRSERVER-640
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-640
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>          Components: ldap
>    Affects Versions: 1.0-RC3
>         Environment: windows/linux
>            Reporter: Ralf Hauser
>             Fix For: 2.0.0-RC1
>
>         Attachments: AuthenticationService.java.patch
>
>
> For the authentication, I use a CustomAuthenticator that extends 
> AbstractAuthenticator.
> If the authentication fails I use LdapAuthenticationException or 
> LdapNoPermissionException and I appreciate a lot to be able to provide some 
> hint (String explanation) why the exception was thrown.
> Unfortunately, this hint never reaches the client. I only sees "error code 49 
> - Bind failed" - the equivalent is visible in the server log as
> <<Ldap Result
>             Result code : (ResultCodeEnum[INVALIDCREDENTIALS=49]) 
> invalidCredentials
>             Matched DN : 'null'
>             Error message : 'Bind failed'>>
> It appears that the culprit is 
> org.apache.directory.server.core.authn.AuthenticationService.bind(NextInterceptor
>  next, Name bindDn, byte[] credentials, List mechanisms, String saslAuthId) 
> throws NamingException
>  where that expception is caught, neither its class is analyzed in detail nor 
> is there any attempt to use "explanations" when re-throwing even though an 
> LdapAuthenticationException constructor does exist that takes a "msg" for 
> explanations.
> Therefore my suggestion: please make sure that it is possible to provide a 
> user more information by optionally appending an "explantion" to the 'Bind 
> failed' a client currently sees in an ldap client.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to