UsernamePassword/DatabaseServerLoginModule reveal to much information --------------------------------------------------------------------- Key: JBAS-2243 URL: http://jira.jboss.com/jira/browse/JBAS-2243 Project: JBoss Application Server Issue Type: Feature Request Security Level: Public(Everyone can see) Components: Security Affects Versions: JBossAS-4.0.3RC2 Environment: 4.0.3RC2/EJB3 Reporter: Jens Elkner If an authentication fails, the thrown javax.security.auth.login.FailedLoginException has a detailed message, which says "Password Incorrect/Password Required" or "No matching username found in Principals". These are pretty good information for an attacker, since than it knows, where to continue its attack and is able to skip a lot of tasks (no matter, whether it comes from the internal or external network - in our days, attacks from internal is probably the most common case). Actually, that's also the reason, why many authentication systems just insert even a delay to not let the attacker guess, whether the guessed username was wrong or the guessed password (minimal, but measurable delay dueto en/decryption) ... So, logging those details might be ok, but revealing those infos to the client is without any doubt a security issue!