55 lines
2.5 KiB
Plaintext
55 lines
2.5 KiB
Plaintext
=== on 24 Sep 2020, 11:50:00 Eric Therond wrote:
|
|
In the future this rule can be improved:
|
|
|
|
* to check if the message sent to the user related to UsernameNotFoundException doesn't disclose any information about the existence of the user:
|
|
|
|
----
|
|
try {
|
|
userDetails = userDetailsService.loadUserByUsername(username);
|
|
} catch (UsernameNotFoundException e) {
|
|
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, e.getMessage());
|
|
return;
|
|
}
|
|
----
|
|
|
|
* to check if the message sent to the user related to UsernameNotFoundException is the same than when the password is not good:
|
|
|
|
----
|
|
if (user == null) {
|
|
throw new UsernameNotFoundException("Bad username");
|
|
}
|
|
if (!user.isPasswordCorrect(password)) {
|
|
throw new BadCredentialsException("Bad credentials");
|
|
}
|
|
----
|
|
|
|
* Some https://www.baeldung.com/spring-security-custom-authentication-failure-handler[authentificationfailurehandler] like https://docs.spring.io/spring-security/site/docs/4.2.15.RELEASE/apidocs/org/springframework/security/web/authentication/ExceptionMappingAuthenticationFailureHandler.html[ExceptionMappingAuthenticationFailureHandler] seems to https://www.programcreek.com/java-api-examples/?code=helloworldtang%2Fspring-boot-cookbook%2Fspring-boot-cookbook-master%2Fapp%2Fsrc%2Fmain%2Fjava%2Fcom%2Ftangcheng%2Fapp%2Fapi%2Frest%2Fconfig%2FSecurityConfig.java[forward] the user to a page different based on exceptions and so disclose users existence.
|
|
|
|
|
|
|
|
|
|
|
|
=== on 25 Sep 2020, 08:47:50 Eric Therond wrote:
|
|
I added again the case to raise when _UsernameNotFoundException_ is thrown because it causes an unnecessary risk, there are several compliant solutions:
|
|
|
|
* using the same error message among all other exceptions
|
|
* using _UsernameNotFoundException_ but hiding it (_setHideUserNotFoundExceptions_ to false, so if spring allows us to hide these exceptions it is likely because they might be dangerous)
|
|
* not using _UsernameNotFoundException_ at all
|
|
|
|
_UsernameNotFoundException_ can be used not only in the authenticate part of a spring application, but in other features, like reset password, in this case only one exception will be likely raised and it should not be _UsernameNotFoundException_ (if the user uses it it is likely to disclose user existence):
|
|
|
|
|
|
----
|
|
public String reset_password(String username) throws AuthenticationException {
|
|
Details user = null;
|
|
try {
|
|
user = loadUserByUsername(username);
|
|
} catch (UsernameNotFoundException | DataAccessException e) {
|
|
thrown UsernameNotFoundException("username not found");
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
|