3 Replies Latest reply on Sep 13, 2005 12:52 AM by elkner

JBAS-2243 - SecurityExceptions

adrian.brock Sep 12, 2005 9:57 PM

http://jira.jboss.com/jira/browse/JBAS-2243

Comment by Scott M Stark [12/Sep/05 09:14 PM]
What is an example client context that is exposing this info?

A dictionary attack.

If the client has to guess both the user and password it is harder.
log.warn("Access Denied", realError);
throw new SecurityException("Access Denied"); // to the client

1. Re: JBAS-2243 - SecurityExceptions

adrian.brock Sep 12, 2005 10:18 PM (in response to adrian.brock)

"adrian@jboss.org" wrote:

log.warn("Access Denied", realError);

And this logging could be a DOS if it fills up the disk. :-)
Actions
2. Re: JBAS-2243 - SecurityExceptions

starksm64 Sep 12, 2005 10:41 PM (in response to adrian.brock)

Yes, I know, but exposing this info via a log is not a security risk. If you have access to the log its not our problem.
Actions
3. Re: JBAS-2243 - SecurityExceptions

elkner Sep 13, 2005 12:52 AM (in response to adrian.brock)
Yepp. If the server aka logs/configs are not secured, than the setup/admin has some problems ...

At least my ideal world would have something like this in the server [auth.]log:
log.warn("auth failed. principal=" + princ + " host=" + clientIP);
Actions

Go to original post