ok. i see the light ..
Thanks a zillion! 😊
> Date: Tue, 19 May 2015 15:56:47 +0100
> From: ma...@apache.org
> To: users@tomcat.apache.org
> Subject: Re: Tomcat valve JAAS : form error page displayed first before
> response reaches back to Tomcat valve
>
> On 19/05/2015 15:51, David kerber wrote:
> > On 5/19/2015 10:46 AM, Kim Ming Yap wrote:
> >>
> >> You said ..
> >>
> >> "> Actually, the better analogy is that there is an application that can
> >>> tell you whether or not 1+1=2, and you're asking it to explain why the
> >>> numbers they entered don't total up to 2"
> >>
> >> when a user account is disabled after exceeded limits retry .. i
> >> couldn't display "account disabled" but rather "email / password
> >> invalid (due to the issue below)
> >>
> >> the right analogy is ..
> >>
> >> 1 (User) +1 (password) = 10 (10 being the incorrect message being
> >> displayed due to lack of the needed feature).
> >>
> >> Sure .. if if i'm the client .. i will ask 1+1 = 10?
> >>
> >> That's the issue.
> >
> > The point we're making is that if a user's authentication is not valid,
> > you should NOT be telling them why, just tell them it's invalid and
> > maybe tell them to contact the administrator.
> >
> > Giving them any more information is just setting yourself up to be a
> > victim of much quicker brute-force attacks, because you're giving them
> > lots of help.
>
> +1.
>
> And the chances of any such features making it into Tomcat are slim to
> none. I for one would veto any such proposal (for the exact reasons
> David outlines above).
>
> It is possible that, if the GSoC project to implement JASPIC succeeds
> (and that isn't looking very likely right now), a side-effect may be
> that JASPIC makes it easier to implement custom authenticators but even
> then if you want to go down the route of detailed explanations for
> authentication failures you will be on your own.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
