Uploaded image for project: 'Karaf'
  1. Karaf
  2. KARAF-956

jaas module should throw generic FailedLoginException

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.2.5, 3.0.0
    • Component/s: None
    • Labels:
      None

      Description

      currently it always throw very detailed exception like
      throw new FailedLoginException("User does not exist");
      and
      throw new FailedLoginException("Password for " + user + " does not match");
      though it's very useful during development or debug, it can leak hint to malicious client, we need
      provide a configurable way to throw FailedLoginException with/without detailed message.
      Likely add a property in etc/org.apache.karaf.jaas.cfg, the default value is just throw very generic FailedLoginException without detailed message, this would be more safe for real productions env.

        Attachments

          Activity

            People

            • Assignee:
              ffang Freeman Fang
              Reporter:
              ffang Freeman Fang
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: