DO NOT REPLY [Bug 25953] - Add ability for Realm authentication to tell the user the reason for auth failure
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25953. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25953 Add ability for Realm authentication to tell the user the reason for auth failure --- Additional Comments From [EMAIL PROTECTED] 2004-01-30 09:45 --- Yep, that's obviously a case where you would be reducing security by handing the potential hacker information - though those kind of messages really aren't what this RFE was for - I was trying to address the situation where a legitimate user has the right username and password, but their account has been disabled or expired for some reason, and the authentication mechanism would like to tell the user why. I can understand that the API change isn't worth the pain though - if API friction wasn't a problem, it would be nice to find a way to state a contract to only return the 'right' sort of information, ie information that doesn't impact on security. In the case of JAAS you could say that, hey, explicitly reporting an AccountExpiredException is ok, but a FailedLoginException should have a generic message. Roberto - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Add ability for Realm authentication to tell the user the reason for auth failure
[Carlos H.] wrote: On Friday 23 January 2004 20:59, Remy Maucherat wrote: - 26236 about the JAAS realm: it would be a very useful fix, and shouldn't be too complex Well... I've tried to reproduce the bug... I've created my own LoginModule, and two classes wich implements de java.security.Principal interface (one for the user principal and other to the roles principals) just like the bug description said, and it worked fine! I also couldn't figure out how the method hasRole() in the RealmBase class can be related to this problem because the method createPrincipal() (which is called by the authenticate() method in the JAASRealm class) creates a GenericPrincipal, as expected by the hasRole() method. I think the problem can be related to the LoginModule of the user application, maybe it's not returning any RolePrincipal or something like that. As a new guy to the tomcat source-code, I can be just missunderstanding something... any ideas? Thanks in advance! Yes, I don't fully understand the bug report. You should add your comments to the bug: it is useful information. Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25953] - Add ability for Realm authentication to tell the user the reason for auth failure
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25953. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25953 Add ability for Realm authentication to tell the user the reason for auth failure [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||WONTFIX --- Additional Comments From [EMAIL PROTECTED] 2004-01-29 22:29 --- The problem is that it doesn't worth the pain of changing the API just to make this feature possible, maybe when refactoring the realms API (I'm not saying it's gonna happen) it can be done. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25953] - Add ability for Realm authentication to tell the user the reason for auth failure
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25953. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25953 Add ability for Realm authentication to tell the user the reason for auth failure --- Additional Comments From [EMAIL PROTECTED] 2004-01-29 23:23 --- For the record, the design of the Realm API in this regard was intentional. Telling your user that they got the password wrong (for example) tells a potential hacker that they got the username right. That's a bad security practice. Craig McClanahan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Add ability for Realm authentication to tell the user the reason for auth failure
On Friday 23 January 2004 20:59, Remy Maucherat wrote: - 26236 about the JAAS realm: it would be a very useful fix, and shouldn't be too complex Well... I've tried to reproduce the bug... I've created my own LoginModule, and two classes wich implements de java.security.Principal interface (one for the user principal and other to the roles principals) just like the bug description said, and it worked fine! I also couldn't figure out how the method hasRole() in the RealmBase class can be related to this problem because the method createPrincipal() (which is called by the authenticate() method in the JAASRealm class) creates a GenericPrincipal, as expected by the hasRole() method. I think the problem can be related to the LoginModule of the user application, maybe it's not returning any RolePrincipal or something like that. As a new guy to the tomcat source-code, I can be just missunderstanding something... any ideas? Thanks in advance! -- Carlos H. ([EMAIL PROTECTED]) Núcleo de Informática UNERJ UNERJ - Centro Universitário de Jaraguá do Sul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Add ability for Realm authentication to tell the user the reason for auth
Thank you for writing to HousingHelp. Please note that the answers to many questions about housing selection can be found on our website: www.emory.edu/HOUSING/SELECTION Thank you for choosing to Live at Emory! University Housing - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Add ability for Realm authentication to tell the user the reason for auth failure
Hi all, First of all: My name is Carlos and I'm new here. (I have entered the list a few days ago) And I'm still trying to understand the tomcat source code... oh... and I'm not from USA...my english is not perfect, but I hope I can be usefull anyway ;) I was looking for something to work on, and I found this in BugZilla: http:// issues.apache.org/bugzilla/show_bug.cgi?id=25953 I know this is a minor enhancement but I think It's a good place for me to start. Before start coding (or even thinking about it) I would like to know if anyone already did it! Thinking about the issue, I couldn't figure out how to do it without changing the signature of the authenticate() method (which is the worst choice, I think) or creating a new method that can throw some kind of exception to be catched by the user application (maybe deprecating the authenticate() ??). Do you have any ideas? Thanks in advance for your help . -- Carlos H. ([EMAIL PROTECTED]) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Add ability for Realm authentication to tell the user the reason for auth failure
[Carlos H.] wrote: Hi all, First of all: My name is Carlos and I'm new here. (I have entered the list a few days ago) And I'm still trying to understand the tomcat source code... oh... and I'm not from USA...my english is not perfect, but I hope I can be usefull anyway ;) I was looking for something to work on, and I found this in BugZilla: http:// issues.apache.org/bugzilla/show_bug.cgi?id=25953 I know this is a minor enhancement but I think It's a good place for me to start. Before start coding (or even thinking about it) I would like to know if anyone already did it! Thinking about the issue, I couldn't figure out how to do it without changing the signature of the authenticate() method (which is the worst choice, I think) or creating a new method that can throw some kind of exception to be catched by the user application (maybe deprecating the authenticate() ??). Do you have any ideas? Not really ;) This may not be the best bug to start with, although it does sound simple. The problems are: - likely there will be an API change needed - not all realms may support every error messages, and all will need different impls - if most realms don't support it, then the feature is useless, so isn't worth the pain of the API change mentioned above So to sumarize, I think you should pick another bug :) So ideas: - lurk in the TC 4 bugs like Mark is doing to see if anything still applies to TC 5 - work on the admin webapp (some patches pending - testing needed ! - and a few bugs open) - 26236 about the JAAS realm: it would be a very useful fix, and shouldn't be too complex Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25953] New: - Add ability for Realm authentication to tell the user the reason for auth failure
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25953. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25953 Add ability for Realm authentication to tell the user the reason for auth failure Summary: Add ability for Realm authentication to tell the user the reason for auth failure Product: Tomcat 5 Version: 5.0.16 Platform: All OS/Version: All Status: NEW Severity: Enhancement Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Currently Realm authentication has no way to tell the user precisely what went wrong with their login request. The authenticate() methods in the Realm interface return an authenticated Principal or null to indicate authentication failure - no helpful information, such as 'Your Account has been disabled' or 'Your Account has expired', can be returned by the underlying authentication service. Personally, I'm particularly interested in the JAASRealm implementation. JAAS allows the LoginContext implementation to return a javax.security.auth.login.LoginException in the case of failure, with useful subclasses like 'AccountExpiredException'. Currently Catalina's JAASRealm will log these exceptions, but due to the signature of the authenticate() method in the Realm interface, can't return that information to the user and has to throw it away. (There's also the possibility of the JAAS authenticator making a TextOutputCallback, though this is currently unsupported by the catalina JAASCallbackHandler, and it's not immediately obvious to me how it could be...!) Adding the facility to return this information would allow a better user experience to be supported - not at the expense of security, it's not the intention to return messages like 'You got the username right, but have another go at the password!' - but it's hard to see how it could be done without a change to the Realm interace, probably breaking external implementations of Realm. Do you fine folks have any ideas?! cheers, Roberto - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
