directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (DIRSERVER-640) bring error hints from CustomAuthenticators extending AbstractAuthenticator back to the client.
Date Tue, 01 Jun 2010 23:43:41 GMT

     [ https://issues.apache.org/jira/browse/DIRSERVER-640?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Emmanuel Lecharny resolved DIRSERVER-640.
-----------------------------------------

    Resolution: Won't Fix

Providing more information is a potential security breach. Enough to say that the authent
failed, no need to tell the user why (ie, if we tell him that the credentials are not correct,
then that implies the user name exists)

> bring error hints from CustomAuthenticators extending AbstractAuthenticator back to the
client.
> -----------------------------------------------------------------------------------------------
>
>                 Key: DIRSERVER-640
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-640
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>          Components: ldap
>    Affects Versions: 1.0-RC3
>         Environment: windows/linux
>            Reporter: Ralf Hauser
>             Fix For: 2.0.0-RC1
>
>         Attachments: AuthenticationService.java.patch
>
>
> For the authentication, I use a CustomAuthenticator that extends AbstractAuthenticator.
> If the authentication fails I use LdapAuthenticationException or LdapNoPermissionException
and I appreciate a lot to be able to provide some hint (String explanation) why the exception
was thrown.
> Unfortunately, this hint never reaches the client. I only sees "error code 49 - Bind
failed" - the equivalent is visible in the server log as
> <<Ldap Result
>             Result code : (ResultCodeEnum[INVALIDCREDENTIALS=49]) invalidCredentials
>             Matched DN : 'null'
>             Error message : 'Bind failed'>>
> It appears that the culprit is org.apache.directory.server.core.authn.AuthenticationService.bind(NextInterceptor
next, Name bindDn, byte[] credentials, List mechanisms, String saslAuthId) throws NamingException
>  where that expception is caught, neither its class is analyzed in detail nor is there
any attempt to use "explanations" when re-throwing even though an LdapAuthenticationException
constructor does exist that takes a "msg" for explanations.
> Therefore my suggestion: please make sure that it is possible to provide a user more
information by optionally appending an "explantion" to the 'Bind failed' a client currently
sees in an ldap client.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message