michael-o edited a comment on pull request #428: URL: https://github.com/apache/tomcat/pull/428#issuecomment-864846238
> > > > Can you please explain the purpose of the `deniedAttributes`? Why is it necessary, what is the usecase for? > > _Denied Attributes_ is the internal term of attributes, for which access is denied to. Those attributes could never be exposed as _user attributes_ in the Principal's attributes map. Basically, this applies to attributes/fields that contain the user's password. Requesting such an attribute causes a `userAttributeAccessDenied` message to be logged. > > Both MemoryRealm and UserDatabaseRealm provide all possible (and actually used, MemoryRealm does not use the group attribute) XML attributes of the `<user ...>` entry in tomcat-users.xml. Obviously, the password attribute is sensitive and should not be exposed so, these Realms make the `password` attribute a _denied_ attribute. > > DataSourceRealm makes the column name configured in `userCredCol` a _denied attribute_ and JNDIRealm does this for the attribute name configured in `userPassword`. So you basically want to protect the admin/developer to shoot in the foot? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
