Karaf
  1. Karaf
  2. KARAF-956

jaas module should throw generic FailedLoginException

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.2.5, 3.0.0
    • Component/s: None
    • Labels:
      None

      Description

      currently it always throw very detailed exception like
      throw new FailedLoginException("User does not exist");
      and
      throw new FailedLoginException("Password for " + user + " does not match");
      though it's very useful during development or debug, it can leak hint to malicious client, we need
      provide a configurable way to throw FailedLoginException with/without detailed message.
      Likely add a property in etc/org.apache.karaf.jaas.cfg, the default value is just throw very generic FailedLoginException without detailed message, this would be more safe for real productions env.

        Activity

        Freeman Fang created issue -
        Freeman Fang made changes -
        Field Original Value New Value
        Status Open [ 1 ] In Progress [ 3 ]
        Freeman Fang made changes -
        Status In Progress [ 3 ] Resolved [ 5 ]
        Fix Version/s 2.2.5 [ 12317857 ]
        Fix Version/s 3.0.0 [ 12316040 ]
        Resolution Fixed [ 1 ]
        Jamie goodyear made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            Freeman Fang
            Reporter:
            Freeman Fang
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development