I agree. When a user provides either an invalid password or an invalid username + password combination, let's say "Invalid Credentials provided", as separating this case will narrow down the attacks. This will fix the message, while not compromising the initial design of security.
s/"Authentication failed - Invalid password provided."/"Authentication failed - Invalid credentials provided." Will commit shortly. Thank you. Regards, Pradeeban. On Tue, Jul 24, 2012 at 2:37 PM, Senaka Fernando <[email protected]> wrote: > Hi Pradeeban, > > The error message needs to be fixed. It is a security bad practice. And, > please resolve the JIRA issue appropriately after fixing. > > Thanks, > Senaka. > > On Tue, Jul 24, 2012 at 3:16 AM, Kathiravelu Pradeeban < > [email protected]> wrote: > >> >> >> On Tue, Jul 24, 2012 at 1:30 PM, Kathiravelu Pradeeban < >> [email protected]> wrote: >> >>> >>> >>> On Tue, Jul 24, 2012 at 12:48 PM, Pradeep Fernando <[email protected]>wrote: >>> >>>> Hi All, >>>> >>>> Here are the L1/L2 s that are in open state. >>>> >>>> >>>> **L1s** >>>> CARBON-13619 Clean up conf/README file and make >>>> catalina_server.xml as the default cofig file which can change the http/s >>>> ports statically. -Dileepa Jayakody >>>> CARBON-13534 CipherTool and Secure Vault are broken in trunk >>>> -Asela Pathberiya >>>> >>>> **L2s** >>>> CARBON-13635 NPE when running a load test with resource adding >>>> -Dimuthu Leelarathne >>>> CARBON-13608 Fix jgroups.bind_addr property -Dimuthu Leelarathne >>>> CARBON-13591 Login and logout user difference -Amila >>>> Maharachchi >>>> CARBON-13588 Modify Security Manager to allow tenants to read Rhino >>>> code generated folder -Chethiya Abeysinghe >>>> CARBON-13502 Ant task doesn't work to create war file [createWAR] >>>> -Pradeep >>>> CARBON-13386 Intermittent issue: ERROR >>>> {org.infinispan.interceptors.InvocationContextInterceptor} - ISPN000136: >>>> Execution error java.lang.InterruptedException when shutting down G-reg >>>> -Dimuthu >>>> CARBON-13208 TenantMgt AdminService invocation with wrong >>>> credentials returns too much of information to the user, but the >>>> information is also wrong -Kathiravelu Pradeeban >>>> >>> >>> Won't fix, as explained in >>> CARBON-13208<https://wso2.org/jira/browse/CARBON-13208> >>> >> >> Discussed this with Thilini before closing the issue. (before Samisa's >> mail on not to close the issues as "Won't fix" without discussing with the >> dev@. Hence resolved as "Won't FIx" before addressing the list). >> >> This was implemented this way as of AmilaJ's security refactorings of >> commit 121445, by design. >> >> >> if (authenticationFailureReason == >> AuthenticationFailureReason.INVALID_PASSWORD) { >> return "Authentication failed - Invalid password provided."; >> } >> >> BasicAccessAuthenticator:doAuthentication() >> try { >> boolean isAuthenticated = >> realm.getUserStoreManager().authenticate(userName, password); >> >> if (!isAuthenticated) { >> if (log.isDebugEnabled()) { >> log.debug("Failed authentication for user " + >> userNameInRequest); >> } >> >> throw new AuthenticationFailureException >> >> (AuthenticationFailureException.AuthenticationFailureReason.INVALID_PASSWORD, >> userNameInRequest); >> } >> >> Hence the above message. >> >> Pls shout, if you feel the message should still be thrown appropriately >> (i.e. instead of saying invalid password, saying either invalid username or >> password), where in that case, we can easily fix this message. >> >> Regards, >> Pradeeban. >> >> >>> Regards, >>> Pradeeban. >>> >>> CARBON-13167 supporting web-app mode deployment of carbon in >>>> Apache Tomcat -Pradeep Fernando >>>> CARBON-13140 wso2server.sh is not working with Solaris 10 in beta >>>> Packs -Reka Thirunavukkarasu >>>> CARBON-12895 Cannot enable JMS transport listener from UI -dushan >>>> abeyruwan >>>> CARBON-10230 Inconsistency of product clusters -Thilini Ishaka >>>> >>>> >>>> Carbon core *code freeze on tomorrow*, tentative release *date on 27 th >>>> *. I need a *progress update of each of the issues before EOD >>>> today.*(working on it/ not started/ not possible with this release/etc) >>>> >>>> >>>> regarding two issues assigned to me - will try to make them available >>>> in this release. Otherwise they will go out in a point release. >>>> >>>> thanks, >>>> --Pradeep >>>> >>>> >>>> >>>> >>> >>> >>> -- >>> Kathiravelu Pradeeban. >>> Cloud Technologies Team. >>> WSO2 Inc. >>> >>> Blog: [Llovizna] http://kkpradeeban.blogspot.com/ >>> M: +94 776 477 976 >>> >>> >> >> >> -- >> Kathiravelu Pradeeban. >> Cloud Technologies Team. >> WSO2 Inc. >> >> Blog: [Llovizna] http://kkpradeeban.blogspot.com/ >> M: +94 776 477 976 >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > *Senaka Fernando* > Member - Integration Technologies Management Committee; > Technical Lead; WSO2 Inc.; http://wso2.com* > Member; Apache Software Foundation; http://apache.org > > E-mail: senaka AT wso2.com > **P: +1 408 754 7388; ext: 51736*; *M: +94 77 322 1818 > Linked-In: http://linkedin.com/in/senakafernando > > *Lean . Enterprise . Middleware > > -- Kathiravelu Pradeeban. Cloud Technologies Team. WSO2 Inc. Blog: [Llovizna] http://kkpradeeban.blogspot.com/ M: +94 776 477 976
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
