Bug 65635 - Methods to return auth errors
Summary: Methods to return auth errors
Status: NEW
Alias: None
Product: Tomcat 10
Classification: Unclassified
Component: Authentication (show other bugs)
Version: 10.0.0
Hardware: PC All
: P2 enhancement (vote)
Target Milestone: ------
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2021-10-15 13:06 UTC by Werner Daehn
Modified: 2021-10-15 16:15 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Werner Daehn 2021-10-15 13:06:31 UTC
I am using FormBased login. If there is an error during login, tomcat redirects to an error page and there I show a static text: "login failed".
But there is no way foreseen to tell the user why it failed. Sometimes you don't want to, sometimes it is essential. I have seen quite a lot of questions in that area in stack overflow, so it is nothing new.

Regarding the types of error, let me categorize them into four buckets:

1. username or password wrong: In this case we do not want to provide any feedback for security ressons. A "username/password" wrong message is enough.

2. Issues with the IDP, e.g. the user database is down, network issues, too many SQL connections open, .... all the infrastructure related issues. Returning a static text would cause the user to retry, to change his password or whatever. What he should do is calling IT to fix the infrastructure problem. username/password is valid, it is just that it cannot be validated!

3. Login succeeds but a follow up action is needed. Password is flagged as to-be-changed and a password-change dialog must be shown. Database is in maintenance mode. This requires either a different page or additional feedback to the error page in order to render the correct controls.

4. Issues with the Realm or its configuration. Realm implementation has a NPE. Realm requires a setting but it is not provided. These are setup issues and looking into the webserver logs is fine, although a user feedback might be better still. Then the user would know it is not his fault.

It is my believe that the tomcat should provide(!) a mechanism to attach error information to the error page in order to have the option to show different things then. And it is the Realm developer's(!) decision what to return and what is better hidden.

From an implementation point if view I would think it is easy to do as well, without any backward compatibility issues. In the FormBasedRealm I would wrap all authenticate() calls into try-catch-Throwable and attach the exception to the redirect call. Either as URL parameter, better as a session variable. Per my understanding a session exists already at that point in time.
Might be better to add IOExceptions to the Realm Interface but that would not be backward compatible.

Also I would expose a logger object for all classes extending the RealmBase class. Just to motivate people using it more.

Do you concur?