tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Blakeley <...@coolcat.com.au>
Subject Re: Realm.authenticate() failure
Date Fri, 18 Feb 2000 22:44:56 GMT

"Craig R. McClanahan" wrote:
> 
> Peter Blakeley wrote:
> 
> 
> Although Daniel Rall quoted a nice "programming philosophy" reason for why
> I decided to return null instead of an exception (and it was one of the
> motivations), there is an additional important reason, based on my
> experience with building login schemes.
> 
> If you have an exception back stating what happened, you are going to be
> tempted to tell the user the details as well ("invalid username" or
> "invalid password" or whatever).  Doing so increases the security risks
> when you are facing a cracker, because you've just reduced the variables
> he/she has to explore in order to successfully invade your system.  Saying
> "Invalid login" does not give them any such information.  (I learned this
> principle from looking at the first Unix-based systems I ever used.)
> 

Now that's a reason I can find acceptable "security" and I can live with
that!

That brings up another question, please bear with me as I am trying to
come up to speed as regard the catalina architecture. 

As to fending off basic dictionary attacks I presume that you could
create a custom SecurityInterceptor that introduces a delay of
increasing length upon each attempted authentication probably based upon
IP address?

cheers pb...



> Finally, there isn't really a portable mechanism to tell the user much
> anyway -- if you're using basic or digest authentication, for example,
> you're going to send back an UNAUTHORIZED response that has no room for an
> error message.  With form-based authentication, you're going to go to the
> defined error page, but there's no mechanism to communicate any explanatory
> text.
> 
> >
> > cheers pb...
> >
> > --
> >
> > Peter Blakeley
> 
> Craig McClanahan
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

-- 




Peter Blakeley 
Head of Software Development Coolcat Software Pty. Ltd.
http://www.coolcat.com.au/
Director Clearwater WebTech Pty. Ltd.
http://www.cwtech.com.au/

A financial instrument is a device used by a Banker to pick your pocket.
It is said an art degree is a licence to know it all, I am lucky I need
no art degree.
;-})

Mime
View raw message