On 19/05/2015 15:51, David kerber wrote: > On 5/19/2015 10:46 AM, Kim Ming Yap wrote: >> >> You said .. >> >> "> Actually, the better analogy is that there is an application that can >>> tell you whether or not 1+1=2, and you're asking it to explain why the >>> numbers they entered don't total up to 2" >> >> when a user account is disabled after exceeded limits retry .. i >> couldn't display "account disabled" but rather "email / password >> invalid (due to the issue below) >> >> the right analogy is .. >> >> 1 (User) +1 (password) = 10 (10 being the incorrect message being >> displayed due to lack of the needed feature). >> >> Sure .. if if i'm the client .. i will ask 1+1 = 10? >> >> That's the issue. > > The point we're making is that if a user's authentication is not valid, > you should NOT be telling them why, just tell them it's invalid and > maybe tell them to contact the administrator. > > Giving them any more information is just setting yourself up to be a > victim of much quicker brute-force attacks, because you're giving them > lots of help.
+1. And the chances of any such features making it into Tomcat are slim to none. I for one would veto any such proposal (for the exact reasons David outlines above). It is possible that, if the GSoC project to implement JASPIC succeeds (and that isn't looking very likely right now), a side-effect may be that JASPIC makes it easier to implement custom authenticators but even then if you want to go down the route of detailed explanations for authentication failures you will be on your own. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
