[CXF-3873] Detail exceptions in JAASLoginInInterceptor (patch) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.5
Fix Version/s: 2.5, 2.4.4
Component/s: Core
Labels:
None
Environment:

Windows

Estimated Complexity:
Unknown

Description

Hi,
I find one thing in JAASLoginInInterceptor a little bit dangerous from security perspective - exception handling.
JAASLoginInInterceptor throws different exceptions with detail error messages in cases:

if user/password are not defined (SecurityException: NO_USER_PASSWORD)
and if authentication is failed (AuthenticationException: "Unauthorized : " + ex.getMessage())
It is very practical for the development, but can give some advices to malicious application.
I will prefere to throw generic security violation exception for both cases.

Patch is attached

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

JAASLoginInterceptor-patch.java
21/Oct/11 14:59
2 kB
Andrei Shakirin
SAAJOutInterceptor-patch.java
21/Oct/11 14:55
1 kB
Andrei Shakirin

Activity

People

Assignee:: Unassigned

Reporter:: Andrei Shakirin

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 21/Oct/11 14:55

Updated:: 01/Nov/11 02:11

Resolved:: 21/Oct/11 15:27