Re: Form based auth does not provide the option to show error reason in the error page

[Werner Dähn]

Thanks Mark. Why do you believe the refactoring is difficult? All we
actually need is access to the response object. This would allow to add
session data, URL parameters, whatever. And this response object is
available everywhere except in the actual RealmBase. By my analysis the
change would be rather simple and provide a feedback channel. If that
feedback channel is used and for what, is a separate discussion and decided
by the real implementer.

Thanks for your warnings regarding "this might be a security concern" - it
allowed me to word the enhancement request accordingly.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65635

On Fri, Oct 15, 2021 at 2:01 PM Mark Thomas  wrote:

> On 15/10/2021 07:05, Werner Dähn wrote:
>
> 
>
> > So why has this not been done? What am I missing?
>
> Accepted security good practice is not to provide any information to a
> user as to the reason for a failed authentication. The idea is that it
> could help an attacker by, for example, letting them know they have a
> valid user name but an invalid password.
>
> I'm not entirely convinced by the arguments used to support the above
> position. They generally seem to be based on the assumption that a brute
> force attack is possible. I'd argue that any system susceptible to a
> brute force attack has problems irrespective of whether it provides
> feedback on authentication failures.
>
> I do think there is an argument to be made that trading reduced
> usability (no feedback on authentication failures) for allegedly better
> security (brute force attacks are harder) is not a sensible trade-off.
> That said, I appear to be in the minority. Again.
>
> > Does an enhancement request exist??
>
> No.
>
> I do think there is an argument for providing information on the reason
> for the authentication failure via a mechanism that allows system
> administrators to decide if they want to pass it on to the users or not.
> Something like a request attribute that could be included in a custom
> error page for example.
>
> However, the current Tomcat code for authentication is structured in
> such a way that exposing the reason for an authentication failure would
> require a reasonable amount of refactoring. I don't think an enhancement
> request along these lines will be rejected, but neither do I think it
> will be implemented quickly. I'd expect a fair amount of discussion
> about how to refactor the Realm interface to expose this information.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Form based auth does not provide the option to show error reason in the error page

[Werner Dähn]

I know it has been asked dozens of times but the response is always "Cannot
be done in a standard way".
But why can't we change Tomcat to provide further details to the error page
of why the login failed?

I would have thought tomcat can support that easily without any backward
compatibility issue:

Everywhere the authenticate method is called,
e.g. FormAuthenticator.doAuthenticate() catch throwables and add the
exception details as parameter, as session variable, as ... to the redirect
call, such that the error page has a place to read the actual issue.


There are tons of reasons a login might fail and without providing the user
with the reason he has no option to fix the problem. Only option is to call
up the web server admin to scan the webserver logs.

Examples:
* password wrong
* cannot connect to the user database due to network or database not up
* login is fine but password expired, must be changed
* connection to the user database is fine but SQL statement failed for
whatever reason

So why has this not been done? What am I missing? Does an enhancement
request exist??

Thanks in advance