[Bug 65635] Methods to return auth errors
https://bz.apache.org/bugzilla/show_bug.cgi?id=65635 --- Comment #5 from Werner Daehn --- I had that sitting as enhancement for more than a year without a single comment. Not returning proper error messages could be considered a bug, especially when it is at something as important as security and when the fix is rather simple (unless I am mistaken). The changes I would do is a ...throws LoginException https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/Realm.java#L83 and in https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/authenticator/FormAuthenticator.java#L244 catch the exception and add it to forwardToErrorPage() as attribute. I just do not feel qualified making the code changes with all the accompanying processes myself. And obviously the other auth methods should take benefit as as well. I am just trying to help making tomcat better, not to create waves. Your decision. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65635] Methods to return auth errors
https://bz.apache.org/bugzilla/show_bug.cgi?id=65635 Mark Thomas changed: What|Removed |Added Severity|critical|enhancement --- Comment #4 from Mark Thomas --- Restore correct severity. This is an enhancement request, not a bug. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65635] Methods to return auth errors
https://bz.apache.org/bugzilla/show_bug.cgi?id=65635 --- Comment #3 from Werner Daehn --- Meaning what? Did I enter the bug wrong? Do you feel that this is a user question and not a bug/limitation? I am not getting your point. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65635] Methods to return auth errors
https://bz.apache.org/bugzilla/show_bug.cgi?id=65635 --- Comment #2 from Michael Osipov --- You want to go the users@ mailing list. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65635] Methods to return auth errors
https://bz.apache.org/bugzilla/show_bug.cgi?id=65635 Werner Daehn changed: What|Removed |Added Severity|enhancement |critical --- Comment #1 from Werner Daehn --- I'd like to raise the priority on this as I feel it is a issue for almost all web applications. People either accept it grudgingly or write their own Filter/Valve bypassing all Tomcat security features and the flexibility they provide. Upon further digging, it seems you have faced the same problem. In the JAASRealm you catch all the different exceptions and swallow the information. https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/realm/JAASRealm.java#L441 If I am not mistaken, an easy and backward compatible solution would be to allow all the version of `authenticate()` to throw exceptions. Best would be a hierarchy of exceptions: LoginException --> LoginWithWarningException These Exceptions are then used in the RealmBase to do different things. Redirect to the error page with the exception details being attached. Redirect to the target page but with the login warning information attached. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65635] Methods to return auth errors
https://bz.apache.org/bugzilla/show_bug.cgi?id=65635 Mark Thomas changed: What|Removed |Added Severity|normal |enhancement -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65635] Methods to return auth errors
https://bz.apache.org/bugzilla/show_bug.cgi?id=65635 Werner Daehn changed: What|Removed |Added OS||All CC||werner.da...@googlemail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org