On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote:
Hi Francesco,
I understand. For suspended user, the response is 401. Is it for the
same reason ?
Not quite: this is because of the authentication.statuses configuration
parameter
https://syncope.apache.org/docs/reference-guide.html#configuration-parameters
which does not contain 'suspended' by default; when you add it to the
list of supported statues for authentication, suspended users will be
able to authenticate themselves.
HTH
Regards.
*From:*Francesco Chicchiriccò [mailto:[email protected]]
*Sent:* Monday, October 24, 2016 12:44 PM
*To:* [email protected]
*Subject:* Re: Differentiating unknown user and known user with wrong
password ?
On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:
Hi,
Same response code(401) from Syncope during self-authentication
[1] for both unknown user and known user with wrong password.
[1] http://10.10.10.10:8080/syncope/rest/users/self
<http://10.10.10.10:8080/syncope/rest/users/self>
How can we distinguish between the unknown user and the known user
with wrong password ?
This is on purpose: if there were different HTTP statuses, an attacker
could exploit it to enumerate the existing users.
Having said that, and even if I would not advice it, there is the
chance to override such behaviour - in Syncope there is always a mean
to override ;-) - by tweaking the Spring Security configuration: see
some recent e-mail about this topic for more details.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
