Karaf
  1. Karaf
  2. KARAF-956

jaas module should throw generic FailedLoginException

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.2.5, 3.0.0
    • Component/s: None
    • Labels:
      None

      Description

      currently it always throw very detailed exception like
      throw new FailedLoginException("User does not exist");
      and
      throw new FailedLoginException("Password for " + user + " does not match");
      though it's very useful during development or debug, it can leak hint to malicious client, we need
      provide a configurable way to throw FailedLoginException with/without detailed message.
      Likely add a property in etc/org.apache.karaf.jaas.cfg, the default value is just throw very generic FailedLoginException without detailed message, this would be more safe for real productions env.

        Activity

        Hide
        Freeman Fang added a comment -

        commit fix
        http://svn.apache.org/viewvc?rev=1188030&view=rev for trunk
        http://svn.apache.org/viewvc?rev=1188029&view=rev for 2.2.x branch
        the default behavior is not throw detailed message like "User does not exist" and "Password for " + user + " does not match" which might be used by malicious client, just a generic "login failed" message.
        Can add detailed.login.exception = true
        in etc/org.apache.karaf.jaas.cfg
        to throw detailed message

        Show
        Freeman Fang added a comment - commit fix http://svn.apache.org/viewvc?rev=1188030&view=rev for trunk http://svn.apache.org/viewvc?rev=1188029&view=rev for 2.2.x branch the default behavior is not throw detailed message like "User does not exist" and "Password for " + user + " does not match" which might be used by malicious client, just a generic "login failed" message. Can add detailed.login.exception = true in etc/org.apache.karaf.jaas.cfg to throw detailed message

          People

          • Assignee:
            Freeman Fang
            Reporter:
            Freeman Fang
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development