[Bug 63336] Currently there is no way to know in form error page that the user was not authenticated because it was locked out

bugzilla Wed, 10 Apr 2019 09:39:36 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=63336


Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
This has been discussed previously and will not be implemented in Tomcat since
informing an attacker that an account has been locked is a (minor) security
vulnerability.

Users are free to extend Tomcat to provide this functionality in their apps if
they wish.

Requests to modify Tomcat to make this sort of extension easier are likely to
be looked on favourably - especially if patches are provided.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63336] Currently there is no way to know in form error page that the user was not authenticated because it was locked out

Reply via email to