Show custom error messages on CAS Authentication failure
480 views
Skip to first unread message
Fernando Gómez
Jun 26, 2018, 9:15:07 AM6/26/18
to CAS Community
Hi, I need to know if it is possible, take the original authentication error message and show the correct message.
I explain myself better: I want to know if it can be detected when the email is not written correctly and to make the error: "Wrong email".
When the password is incorrect: show incorrect password,
I mean to show the correct message that the service returns when a login error occurs.
What I have achieved so far, is to take in menssages.properties
authenticationFailure.AccountNotFoundException = Invalid credentials.
authenticationFailure.FailedLoginException = Invalid credentials.
but I need to be more specific with the causes, for which the error occurred.
I'm waiting
Grateful in advance ...
Fernando
Chia-Ying (David) Yang
Jun 26, 2018, 10:03:18 AM6/26/18
to cas-...@apereo.org
Actually, it's considered good security practice to not be too
specific about authentication errors. If a hacker is using the
login form, you do not want the hacker to be able to tell if the
username he is trying is valid or not. You want to be vague so that
the hacker cannot tell whether the username is wrong or the password
is wrong.
See: https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Authentication_Responses
David
See: https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Authentication_Responses
David
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/27d7746e-dee8-4295-b1ff-202cb61c07e0%40apereo.org.
Fernando Gómez
Jun 26, 2018, 11:15:05 AM6/26/18
to CAS Community
Chia-Ying Yang
Thanks for answering me.
You're absolutely right, but specifically I need to be able to show a message when someone tries to access and does not have the verified account, say something like: "Check your email and verify your account", something like that, and when it's key and / or invalid user, good practices are used to simply say something like: "Invalid access data"
In summary, please I need to know how to show a message when the account is not yet verified
In summary, please I need to know how to show a message when the account is not yet verified
Ramakrishna G
Aug 13, 2018, 5:09:56 AM8/13/18
to CAS Community
Fernondo,
Did you solve the issue? Can you share your code.
Thanks in advance
Alex Decherd
Jun 19, 2019, 11:49:02 AM6/19/19
to CAS Community
It's right for CAS to not be specific about authentication errors by default, but I'd like to have the option to show errors in a test CAS instance so that customers who are integrating with us can see errors without my having to look at the logs. Is there an option for this?
Thanks!
To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.
Reply all
Reply to author
Forward
0 new messages