On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:
Hi,
Same response code(401) from Syncope during self-authentication [1]
for both unknown user and known user with wrong password.
[1] http://10.10.10.10:8080/syncope/rest/users/self
<http://10.10.10.10:8080/syncope/rest/users/self>
How can we distinguish between the unknown user and the known user
with wrong password ?
This is on purpose: if there were different HTTP statues, an attacker
could exploit it to enumerate the existing users.
Having said that, and even if I would not advice it, there is the chance
to override such behaviour - in Syncope there is always a mean to
override ;-) - by tweaking the Spring Security configuration: see some
recent e-mail about this topic for more details.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
