Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default Log In Page should always be generic message #16484

Open
rwinch opened this issue Jan 24, 2025 · 6 comments · May be fixed by #16575
Open

Default Log In Page should always be generic message #16484

rwinch opened this issue Jan 24, 2025 · 6 comments · May be fixed by #16575
Assignees
@Tejas-Teju
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Milestone
6.5.x

Comments

@rwinch
Copy link
Member

rwinch commented Jan 24, 2025

The error message on the default log in pages should always be a generic message so that it does not have any information leakage when AuthenticationException.message includes details about the failure. To help developers, we should also ensure that the failure is logged at the debug level (likely in the AuthenticationManager so that it happens for all failures).
@rwinch rwinch added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jan 24, 2025
@Tejas-Teju
Copy link
Contributor

Hi @rwinch
Can you assign this issue to me? I will work on this

@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 3, 2025
@jzheaux jzheaux added this to the 6.5.x milestone Feb 3, 2025
@jzheaux
Copy link
Contributor

jzheaux commented Feb 3, 2025

Thanks, @Tejas-Teju! Looking forward to another PR from you.

@Tejas-Teju
Copy link
Contributor

Tejas-Teju commented Feb 6, 2025
edited
Loading

@jzheaux

Need your inputs

  1. Can DefaultLoginPageGeneratingFilter.getLoginErrorMessage() be updated for generic messages in login pages? This method returns a Local message for AuthenticationException types but "Invalid credentials" for others. If we can localize the generic message say Bad credentials will that be useful?

  2. The DEBUG messages can be logged at ProviderManager?

We can even log the error at OneTimeTokenAuthenticationProvider and re-throw the exception as BadCredentialsException (Refer PR)

@jzheaux
Copy link
Contributor

jzheaux commented Feb 7, 2025
edited
Loading

The change is to not check for an exception message. Because of that, the answer is always "Invalid Credentials". That means this:

String errorMsg = loginError ? getLoginErrorMessage(request) : "Invalid credentials";

should be able to change to:

String errorMsg = "Invalid Credentials";

and getLoginErrorMessage should not be necessary anymore.

The format for failure logs that we usually follow is:

{what the code failed to do} since {reason for the failure}

For example,

Failed to authenticate token since it was either expired or missing

As for Provider Manager, I'd probably have a generic message like:

Denying authentication since all attempted providers failed

for the end and a more contextual message for the AccountStatusException and InternalAuthenticationServiceException catch block.

@jzheaux
Copy link
Contributor

jzheaux commented Feb 7, 2025
edited
Loading

We can even log the error at OneTimeTokenAuthenticationProvider and re-throw the exception as BadCredentialsException

Good idea, @Tejas-Teju, please go ahead an just focus on ProviderManager and DefaultLoginPageGeneratingFilter, though, for this ticket. And would you mind creating a separate ticket to improve logging in One-Time Token? That way we can review that entire feature holistically.

@Tejas-Teju
Copy link
Contributor

Thanks @jzheaux

There was a test case for getting the error message in KOREA; hence, I thought we'll have to render the message in Local language.

Sure, I'll raise a separate ticket for logging.

@Tejas-Teju Tejas-Teju linked a pull request Feb 12, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Tejas-Teju Tejas-Teju

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
6.5.x
Development

Successfully merging a pull request may close this issue.

Generic error message in Log In page and debug messages Tejas-Teju/spring-security
3 participants
@rwinch @jzheaux @Tejas-Teju