DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25953>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25953 Add ability for Realm authentication to tell the user the reason for auth failure ------- Additional Comments From [EMAIL PROTECTED] 2004-01-30 09:45 ------- Yep, that's obviously a case where you would be reducing security by handing the potential hacker information - though those kind of messages really aren't what this RFE was for - I was trying to address the situation where a legitimate user has the right username and password, but their account has been disabled or expired for some reason, and the authentication mechanism would like to tell the user why. I can understand that the API change isn't worth the pain though - if API friction wasn't a problem, it would be nice to find a way to state a contract to only return the 'right' sort of information, ie information that doesn't impact on security. In the case of JAAS you could say that, hey, explicitly reporting an AccountExpiredException is ok, but a FailedLoginException should have a generic message. Roberto --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
