Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-18072

Wrong error message for inactive user

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 7.1.0
    • None
    • None
    • Rank:
      1|i055b2:

      Description

      Bug description

      Concerns have been raised regarding security about the error message "User Locked Out" which we get when someone tries to authenticate with an existed username (even without trying a password) and the user is inactive -on AM 7.1 and user lockout is disable.

      This message is revealing information that the particular user exists in the directory. On previous versions (AM 6.5.2.1) the error for the same use-case was "Login failure" which is much more appropriate.

      How to reproduce the issue

      https://backstage.forgerock.com/docs/am/7/authentication-guide/about-authentication-trees.html#account-lockout-trees 

      1. Create a user
      2. Leave user inactive
      3. Try log-in using only the new user's username (not type any password)
      Expected behaviour
      error message "Login failure"
      
      Current behaviour
      error message "User Locked Out"
      

      Work around

      One possible route to work around this is to customise the error message returned using LdapDecisionNode.properties.

        Attachments

          Activity

            People

            Unassigned Unassigned
            greg.galanopoulos Greg Galanopoulos
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: