All geek questions in one place

How to show JAAS LoginException on error page

I use JAAS and form-based web authentication on the Tomcat 8.x web server. There are many possible reasons why a user will be denied access when trying to log in:

  • invalid username
  • Incorrect password
  • does not have an account in the database
  • The account in the database is inactive.
  • The database account does not have the required roles.
  • etc....

In my LoginModule, I check all these conditions and much more and throw a LoginException if the user is not allowed to access the web application. JAAS seems to catch the raised LoginException, throw it and redirect the user to the error page specified in web.xml.

I spent hours and hours searching for a way, trying to find a way to get the reason for the exception to enter, but came up with an empty one.

Is there a way for the error page to detect the reason the LoginException was thrown?

+5
source share
1 answer
  • invalid username
  • Incorrect password

You should not distinguish between these two cases. This creates an information leak for the attacker, reducing his search space as soon as he finds a valid username. You just have to say “invalid username and password combination” or the like.

  1. does not have an account in the database

This is identical to (1).

  1. The account in the database is inactive.

This again should not be distinguished as indicated above.

  1. The database account does not have the required roles.

This is not a login failure. This becomes a denial of access when the user does something that requires a missing role, or it causes the user interface to not display actions for the missing roles.

The decision made to pass the appropriate JAAS errors to the application was to add them as the public Subject credentials.

+4
source

Source: https://habr.com/ru/post/1273773/

More articles:


All Articles