Werner,
On 10/15/21 09:10, Werner Dähn wrote:
Thanks Mark. Why do you believe the refactoring is difficult? All we
actually need is access to the response object.
... which requires a lot of refactoring. Have a look at all the code
that handles authentication in Tomcat.
This would allow to
Thanks Mark. Why do you believe the refactoring is difficult? All we
actually need is access to the response object. This would allow to add
session data, URL parameters, whatever. And this response object is
available everywhere except in the actual RealmBase. By my analysis the
change would be ra
On 15/10/2021 07:05, Werner Dähn wrote:
So why has this not been done? What am I missing?
Accepted security good practice is not to provide any information to a
user as to the reason for a failed authentication. The idea is that it
could help an attacker by, for example, letting them know
I know it has been asked dozens of times but the response is always "Cannot
be done in a standard way".
But why can't we change Tomcat to provide further details to the error page
of why the login failed?
I would have thought tomcat can support that easily without any backward
compatibility issue: