currently it always throw very detailed exception like
throw new FailedLoginException("User does not exist");
throw new FailedLoginException("Password for " + user + " does not match");
though it's very useful during development or debug, it can leak hint to malicious client, we need
provide a configurable way to throw FailedLoginException with/without detailed message.
Likely add a property in etc/org.apache.karaf.jaas.cfg, the default value is just throw very generic FailedLoginException without detailed message, this would be more safe for real productions env.