Return-Path: X-Original-To: apmail-cxf-issues-archive@www.apache.org Delivered-To: apmail-cxf-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EE9539D1E for ; Fri, 21 Oct 2011 15:04:53 +0000 (UTC) Received: (qmail 81128 invoked by uid 500); 21 Oct 2011 15:04:52 -0000 Delivered-To: apmail-cxf-issues-archive@cxf.apache.org Received: (qmail 81075 invoked by uid 500); 21 Oct 2011 15:04:52 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 80921 invoked by uid 99); 21 Oct 2011 15:04:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Oct 2011 15:04:52 +0000 X-ASF-Spam-Status: No, hits=-2000.5 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Oct 2011 15:04:51 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 46A02315F79 for ; Fri, 21 Oct 2011 15:02:32 +0000 (UTC) Date: Fri, 21 Oct 2011 15:02:32 +0000 (UTC) From: "Andrei Shakirin (Updated) (JIRA)" To: issues@cxf.apache.org Message-ID: <89729088.1270.1319209352290.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <2063328897.1236.1319208992360.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Updated] (CXF-3873) Detail exceptions in JAASLoginInInterceptor (patch) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CXF-3873?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrei Shakirin updated CXF-3873: --------------------------------- Comment: was deleted (was: Patch) > Detail exceptions in JAASLoginInInterceptor (patch) > --------------------------------------------------- > > Key: CXF-3873 > URL: https://issues.apache.org/jira/browse/CXF-3873 > Project: CXF > Issue Type: Improvement > Components: Core > Affects Versions: 2.5 > Environment: Windows > Reporter: Andrei Shakirin > Attachments: JAASLoginInterceptor-patch.java, SAAJOutInterceptor-patch.java > > > Hi, > I find one thing in JAASLoginInInterceptor a little bit dangerous from security perspective - exception handling. > JAASLoginInInterceptor throws different exceptions with detail error messages in cases: > - if user/password are not defined (SecurityException: NO_USER_PASSWORD) > - and if authentication is failed (AuthenticationException: "Unauthorized : " + ex.getMessage()) > It is very practical for the development, but can give some advices to malicious application. > I will prefere to throw generic security violation exception for both cases. > Patch is attached -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira