tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Blakeley <>
Subject Re: Realm.authenticate() failure
Date Fri, 18 Feb 2000 22:44:56 GMT

"Craig R. McClanahan" wrote:
> Peter Blakeley wrote:
> Although Daniel Rall quoted a nice "programming philosophy" reason for why
> I decided to return null instead of an exception (and it was one of the
> motivations), there is an additional important reason, based on my
> experience with building login schemes.
> If you have an exception back stating what happened, you are going to be
> tempted to tell the user the details as well ("invalid username" or
> "invalid password" or whatever).  Doing so increases the security risks
> when you are facing a cracker, because you've just reduced the variables
> he/she has to explore in order to successfully invade your system.  Saying
> "Invalid login" does not give them any such information.  (I learned this
> principle from looking at the first Unix-based systems I ever used.)

Now that's a reason I can find acceptable "security" and I can live with

That brings up another question, please bear with me as I am trying to
come up to speed as regard the catalina architecture. 

As to fending off basic dictionary attacks I presume that you could
create a custom SecurityInterceptor that introduces a delay of
increasing length upon each attempted authentication probably based upon
IP address?

cheers pb...

> Finally, there isn't really a portable mechanism to tell the user much
> anyway -- if you're using basic or digest authentication, for example,
> you're going to send back an UNAUTHORIZED response that has no room for an
> error message.  With form-based authentication, you're going to go to the
> defined error page, but there's no mechanism to communicate any explanatory
> text.
> >
> > cheers pb...
> >
> > --
> >
> > Peter Blakeley
> Craig McClanahan
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:


Peter Blakeley 
Head of Software Development Coolcat Software Pty. Ltd.
Director Clearwater WebTech Pty. Ltd.

A financial instrument is a device used by a Banker to pick your pocket.
It is said an art degree is a licence to know it all, I am lucky I need
no art degree.

View raw message