Hi Francesco, I understand. For suspended user, the response is 401. Is it for the same reason ?
Regards, Vellingiri From: Francesco Chicchiriccò [mailto:[email protected]] Sent: Monday, October 24, 2016 12:44 PM To: [email protected] Subject: Re: Differentiating unknown user and known user with wrong password ? On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote: Hi, Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password. [1] http://10.10.10.10:8080/syncope/rest/users/self How can we distinguish between the unknown user and the known user with wrong password ? This is on purpose: if there were different HTTP statues, an attacker could exploit it to enumerate the existing users. Having said that, and even if I would not advice it, there is the chance to override such behaviour - in Syncope there is always a mean to override ;-) - by tweaking the Spring Security configuration: see some recent e-mail about this topic for more details. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
