Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 12763 invoked from network); 1 Jun 2010 23:44:02 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 1 Jun 2010 23:44:02 -0000 Received: (qmail 96014 invoked by uid 500); 1 Jun 2010 23:44:02 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 95931 invoked by uid 500); 1 Jun 2010 23:44:02 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 95924 invoked by uid 99); 1 Jun 2010 23:44:02 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Jun 2010 23:44:02 +0000 X-ASF-Spam-Status: No, hits=-1487.2 required=10.0 tests=ALL_TRUSTED,AWL X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Jun 2010 23:44:01 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id o51Nhf8G025484 for ; Tue, 1 Jun 2010 23:43:41 GMT Message-ID: <8040110.118261275435821152.JavaMail.jira@thor> Date: Tue, 1 Jun 2010 19:43:41 -0400 (EDT) From: "Emmanuel Lecharny (JIRA)" To: dev@directory.apache.org Subject: [jira] Resolved: (DIRSERVER-640) bring error hints from CustomAuthenticators extending AbstractAuthenticator back to the client. In-Reply-To: <18599122.1150031909790.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/DIRSERVER-640?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Emmanuel Lecharny resolved DIRSERVER-640. ----------------------------------------- Resolution: Won't Fix Providing more information is a potential security breach. Enough to say that the authent failed, no need to tell the user why (ie, if we tell him that the credentials are not correct, then that implies the user name exists) > bring error hints from CustomAuthenticators extending AbstractAuthenticator back to the client. > ----------------------------------------------------------------------------------------------- > > Key: DIRSERVER-640 > URL: https://issues.apache.org/jira/browse/DIRSERVER-640 > Project: Directory ApacheDS > Issue Type: Improvement > Components: ldap > Affects Versions: 1.0-RC3 > Environment: windows/linux > Reporter: Ralf Hauser > Fix For: 2.0.0-RC1 > > Attachments: AuthenticationService.java.patch > > > For the authentication, I use a CustomAuthenticator that extends AbstractAuthenticator. > If the authentication fails I use LdapAuthenticationException or LdapNoPermissionException and I appreciate a lot to be able to provide some hint (String explanation) why the exception was thrown. > Unfortunately, this hint never reaches the client. I only sees "error code 49 - Bind failed" - the equivalent is visible in the server log as > < Result code : (ResultCodeEnum[INVALIDCREDENTIALS=49]) invalidCredentials > Matched DN : 'null' > Error message : 'Bind failed'>> > It appears that the culprit is org.apache.directory.server.core.authn.AuthenticationService.bind(NextInterceptor next, Name bindDn, byte[] credentials, List mechanisms, String saslAuthId) throws NamingException > where that expception is caught, neither its class is analyzed in detail nor is there any attempt to use "explanations" when re-throwing even though an LdapAuthenticationException constructor does exist that takes a "msg" for explanations. > Therefore my suggestion: please make sure that it is possible to provide a user more information by optionally appending an "explantion" to the 'Bind failed' a client currently sees in an ldap client. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.