cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrei Shakirin (Created) (JIRA)" <>
Subject [jira] [Created] (CXF-3873) Detail exceptions in JAASLoginInInterceptor (patch)
Date Fri, 21 Oct 2011 14:56:32 GMT
Detail exceptions in JAASLoginInInterceptor (patch)

                 Key: CXF-3873
             Project: CXF
          Issue Type: Improvement
          Components: Core
    Affects Versions: 2.5
         Environment: Windows
            Reporter: Andrei Shakirin

I find one thing in JAASLoginInInterceptor a little bit dangerous from security perspective
- exception handling.
JAASLoginInInterceptor throws different exceptions with detail error messages in cases:
- if user/password are not defined (SecurityException: NO_USER_PASSWORD)
- and if authentication is failed (AuthenticationException: "Unauthorized : " + ex.getMessage())
It is very practical for the development, but can give some advices to malicious application.
I will prefere to throw generic security violation exception for both cases.

Patch is attached

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message