https://bz.apache.org/bugzilla/show_bug.cgi?id=65635
Bug ID: 65635
Summary: Methods to return auth errors
Product: Tomcat 10
Version: 10.0.0
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Authentication
Assignee: dev@tomcat.apache.org
Reporter: werner.da...@googlemail.com
Target Milestone: ------
I am using FormBased login. If there is an error during login, tomcat redirects
to an error page and there I show a static text: "login failed".
But there is no way foreseen to tell the user why it failed. Sometimes you
don't want to, sometimes it is essential. I have seen quite a lot of questions
in that area in stack overflow, so it is nothing new.
Regarding the types of error, let me categorize them into four buckets:
1. username or password wrong: In this case we do not want to provide any
feedback for security ressons. A "username/password" wrong message is enough.
2. Issues with the IDP, e.g. the user database is down, network issues, too
many SQL connections open, .... all the infrastructure related issues.
Returning a static text would cause the user to retry, to change his password
or whatever. What he should do is calling IT to fix the infrastructure problem.
username/password is valid, it is just that it cannot be validated!
3. Login succeeds but a follow up action is needed. Password is flagged as
to-be-changed and a password-change dialog must be shown. Database is in
maintenance mode. This requires either a different page or additional feedback
to the error page in order to render the correct controls.
4. Issues with the Realm or its configuration. Realm implementation has a NPE.
Realm requires a setting but it is not provided. These are setup issues and
looking into the webserver logs is fine, although a user feedback might be
better still. Then the user would know it is not his fault.
It is my believe that the tomcat should provide(!) a mechanism to attach error
information to the error page in order to have the option to show different
things then. And it is the Realm developer's(!) decision what to return and
what is better hidden.
>From an implementation point if view I would think it is easy to do as well,
without any backward compatibility issues. In the FormBasedRealm I would wrap
all authenticate() calls into try-catch-Throwable and attach the exception to
the redirect call. Either as URL parameter, better as a session variable. Per
my understanding a session exists already at that point in time.
Might be better to add IOExceptions to the Realm Interface but that would not
be backward compatible.
Also I would expose a logger object for all classes extending the RealmBase
class. Just to motivate people using it more.
Do you concur?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
