DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25953>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25953 Add ability for Realm authentication to tell the user the reason for auth failure Summary: Add ability for Realm authentication to tell the user the reason for auth failure Product: Tomcat 5 Version: 5.0.16 Platform: All OS/Version: All Status: NEW Severity: Enhancement Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Currently Realm authentication has no way to tell the user precisely what went wrong with their login request. The authenticate() methods in the Realm interface return an authenticated Principal or null to indicate authentication failure - no helpful information, such as 'Your Account has been disabled' or 'Your Account has expired', can be returned by the underlying authentication service. Personally, I'm particularly interested in the JAASRealm implementation. JAAS allows the LoginContext implementation to return a javax.security.auth.login.LoginException in the case of failure, with useful subclasses like 'AccountExpiredException'. Currently Catalina's JAASRealm will log these exceptions, but due to the signature of the authenticate() method in the Realm interface, can't return that information to the user and has to throw it away. (There's also the possibility of the JAAS authenticator making a TextOutputCallback, though this is currently unsupported by the catalina JAASCallbackHandler, and it's not immediately obvious to me how it could be...!) Adding the facility to return this information would allow a better user experience to be supported - not at the expense of security, it's not the intention to return messages like 'You got the username right, but have another go at the password!' - but it's hard to see how it could be done without a change to the Realm interace, probably breaking external implementations of Realm. Do you fine folks have any ideas?! cheers, Roberto --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
