On 15/10/2021 07:05, Werner Dähn wrote:
<snip/>
So why has this not been done? What am I missing?
Accepted security good practice is not to provide any information to a
user as to the reason for a failed authentication. The idea is that it
could help an attacker by, for example, letting them know they have a
valid user name but an invalid password.
I'm not entirely convinced by the arguments used to support the above
position. They generally seem to be based on the assumption that a brute
force attack is possible. I'd argue that any system susceptible to a
brute force attack has problems irrespective of whether it provides
feedback on authentication failures.
I do think there is an argument to be made that trading reduced
usability (no feedback on authentication failures) for allegedly better
security (brute force attacks are harder) is not a sensible trade-off.
That said, I appear to be in the minority. Again.
Does an enhancement request exist??
No.
I do think there is an argument for providing information on the reason
for the authentication failure via a mechanism that allows system
administrators to decide if they want to pass it on to the users or not.
Something like a request attribute that could be included in a custom
error page for example.
However, the current Tomcat code for authentication is structured in
such a way that exposing the reason for an authentication failure would
require a reasonable amount of refactoring. I don't think an enhancement
request along these lines will be rejected, but neither do I think it
will be implemented quickly. I'd expect a fair amount of discussion
about how to refactor the Realm interface to expose this information.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
