0

I am working on a web/enterprise (ear) Java application, done in JSF 2 with PrimeFaces 4, running on JBoss AS 7.1.1.Final, and using JBoss Security Domain, with DatabaseServerLoginModule and auth-method FORM.

It is working correctly, and if a username or password is incorrect, it redirects to the page configured by form-error-page in web.xml, as expected (where it says that the username or password was incorrect).

My boss is asking for a more specific message, like "invalid username" or "invalid password", according to which data was wrong. This could be in the form-error-page, or better, as a message near the login form fields.

Is it possible? How?

Thanks

Luis Cardozo
  • 33
  • 6
  • Why are you want to do it at all? If you add specific message like "invalid username" or "invalid password" you are telling someone precisely what is wrong (username or password). – Magic Wand Jul 23 '14 at 13:29
  • I think it's bad practice to report the details. It would make it much easier to hack by guessing a correct username and then bruteforce the password. At least you have to take care of that problem. – Jaqen H'ghar Jul 23 '14 at 13:40
  • For me, it's less secure also, but my boss thinks that it is less usable (he made me read this: http://www.sitepoint.com/3-rules-painless-account-ux-login-screens/ ). I was searching in the source code of DatabaseServerLoginModule (and its superclass UsernamePasswordLoginModule, both in PicketBox source code, not JBoss source code), and I see that it throws a FailedLoginException(). But I don't know if I can catch it, because the security is managed by JBoss – Luis Cardozo Jul 23 '14 at 15:35
  • Then gmail have very low usability :-) I guess there are several points of views – Jaqen H'ghar Jul 23 '14 at 16:27
  • I know that it is very subjective. I really prefer not to do this, but, now that I am researching it, it's intriguing me. I wonder if it is technically possible, without recompiling JBoss or something like that – Luis Cardozo Jul 23 '14 at 18:45

0 Answers0