https://bz.apache.org/bugzilla/show_bug.cgi?id=65635
Werner Daehn <werner.da...@googlemail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|enhancement |critical
--- Comment #1 from Werner Daehn <werner.da...@googlemail.com> ---
I'd like to raise the priority on this as I feel it is a issue for almost all
web applications. People either accept it grudgingly or write their own
Filter/Valve bypassing all Tomcat security features and the flexibility they
provide.
Upon further digging, it seems you have faced the same problem.
In the JAASRealm you catch all the different exceptions and swallow the
information.
https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/realm/JAASRealm.java#L441
If I am not mistaken, an easy and backward compatible solution would be to
allow all the version of `authenticate()` to throw exceptions. Best would be a
hierarchy of exceptions: LoginException --> LoginWithWarningException
These Exceptions are then used in the RealmBase to do different things.
Redirect to the error page with the exception details being attached. Redirect
to the target page but with the login warning information attached.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
