tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joe Emenaker" <...@emenaker.com>
Subject Re: admin user/password
Date Tue, 24 Oct 2000 22:31:43 GMT

> > What bugs me is that, if you enter a valid username/password
> > combination,
> > tomcat gives no indication that they're valid... it behaves
> > as though the
> > name/password are invalid. I would have expected that it
> > would come up with
> > a page that said that I didn't have the appropriate rights
> > for that webapp
> > or something. Oh well....
>
> This would be a security risk.  It would in effect tell a
> malicious party "You have found a working username/password
> combination for this site, but not this web app".

If a malicious party was able to get a working username/password, you've got
bigger problems.

I remember reading a paper from a while back... 1988 or so.... it was a
transcript of some early unix luminary like Bill Joy or Ken Thompson
addressing a unix security conference. The thing that still sticks with me
is the point that, if someone tries to login with the right name, but wrong
password, you should treat them exactly the same as if the username doesn't
exist. Otherwise, they can "incrementally" crack the account... like finding
the combination to a safe one number at a time.

The idea you're touting is pretty much the same, but I'd say that the idea
of three lines of protection (the username, the password, and the app name)
is an illusion. The authentication step is supposed to involve the username
and password. The rest is just control of what you're allowed to access.

Imagine what it would be like if unix were like what you're describing.
Imagine three login prompts: username, password, and the file you want to
mess with. Depending what the permissions were on the target file, the
system might refuse to acknowledge the existence of the user account or the
correctness of the password at all. Blech!

> The would-be cracker could then go around trying various logins
> on your site -- not unlike someone having found a key to a building
> but not knowing which lock it fits.

Again, I say that, if you've got keys laying around, you've got bigger
problems to address than whether someone knows which of the doors it opens.

> It's always better to just give a generic "Authorization Failed"
> message no matter what the reason.

Whatever. Well, how about I meet you half way. How about, at the least, a
*clear* entry in the logs that a given user correctly authenticated but
doesn't have the rights to use the given web-app? Without this, it *is*
pretty puzzling trying to figure out why one can't log into the admin
webapp.

- Joe


Mime
View raw message