[
https://issues.apache.org/jira/browse/SLING-1196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12903037#action_12903037
]
Felix Meschberger commented on SLING-1196:
------------------------------------------
Reconsidering, I am not sure, whether this has really any use because the
information in the LoginException is not generally informative and second it is
security-wise a bad idea to tell the user more than a generic "sorry,
name/password do not match". Otherwise they might deduce that a user might
exist and they just have to try more passwords.
> Sling Authentication - SlingAuthenticator hides LoginFailure reason
> -------------------------------------------------------------------
>
> Key: SLING-1196
> URL: https://issues.apache.org/jira/browse/SLING-1196
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Reporter: Hakim Sadikali
> Attachments: SlingAuthenticator.java
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> The SlingAuthenticator does not provide the handler with the reason a login
> failed, it only logs the reason and proceeds to try again:
> // request authentication information and send 403 (Forbidden)
> // if no handler can request authentication information.
> log.info("authenticate: Unable to authenticate: {}",
> reason.getMessage());
> log.debug("authenticate", reason);
> login(request, response);
> Applications often want to provide more detailed information to the end user,
> username not found, password does not match username etc.
> An easy solution would be to put the LoginException in the request for the
> login handler to have access to it, and then remove it after the login
> handler has processed the request - works but not particularly elegant.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
