Hi Francesco, I added suspended to authentication.statuses parameter but still the response is “401 Unauthorized”.
[cid:[email protected]] Regards, Vellingiri From: Francesco Chicchiriccò [mailto:[email protected]] Sent: Monday, October 24, 2016 8:30 PM To: [email protected] Subject: Re: Differentiating unknown user and known user with wrong password ? On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote: Hi Francesco, I understand. For suspended user, the response is 401. Is it for the same reason ? Not quite: this is because of the authentication.statuses configuration parameter https://syncope.apache.org/docs/reference-guide.html#configuration-parameters which does not contain 'suspended' by default; when you add it to the list of supported statues for authentication, suspended users will be able to authenticate themselves. HTH Regards. From: Francesco Chicchiriccò [mailto:[email protected]] Sent: Monday, October 24, 2016 12:44 PM To: [email protected]<mailto:[email protected]> Subject: Re: Differentiating unknown user and known user with wrong password ? On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote: Hi, Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password. [1] http://10.10.10.10:8080/syncope/rest/users/self How can we distinguish between the unknown user and the known user with wrong password ? This is on purpose: if there were different HTTP statuses, an attacker could exploit it to enumerate the existing users. Having said that, and even if I would not advice it, there is the chance to override such behaviour - in Syncope there is always a mean to override ;-) - by tweaking the Spring Security configuration: see some recent e-mail about this topic for more details. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
