You showed in the passt the correct error message only if the user has entered the correct
password.
In other words, you can split the userValidation into a pre and post validation, so you
have the possibility to show sensitive messages only to authenticated users.
Am 29.10.2015 um 00:42 schrieb Bill Burke <bburke(a)redhat.com>:
Hmmm...IIRC I kept that there because, if the account is disabled how would the user ever
know? This is even more important with a temporarily disabled account.
> On 10/28/2015 5:48 PM, Michael Gerber wrote:
> Just create a new user, disable it and try to log in with the username and a wrong
password.
> And you will get the following error message:
> Account is disabled, contact admin.
>
>
>> On 28.10.2015, at 20:50, Bill Burke <bburke(a)redhat.com> wrote:
>>
>> How is this possible?
>>
>>> On 10/28/2015 10:53 AM, Michael Gerber wrote:
>>> Hi all,
>>>
>>> it is possible to guess the username of disabled users.
>>> This was not possible in earlier versions of keycloak. Is this on purpose?
>>>
>>> Best
>>> Michael
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com