4 Replies Latest reply: Mar 23, 2012 2:13 AM by Phinehas1234 RSS

    Login Fail Detail Message

    Phinehas1234 Community Member

      Hi,

       

      We are using the following method to login systems.

       

      <cftry>

      <cfscript>

      ntauth = createObject("java", "jrun.security.NTAuth");

      ntauth.init(arguments.domain);

      ntauth.authenticateUser(arguments.userid, arguments.passwd);

      </cfscript>

      <cfcatch>

      <cfset errMessage = cfcatch.Message>

      </cfcatch>

      </cftry>

       

      However, sometimes users reported that they failed to login system. We suggest them to reset their password and it can solve the problem. However, we found that some login failure cases are not because of password expired or locked windows account. How can I get more detail message (e.g. locked windows account, password expired, password incorrect and so on) for checking the reason of failure?

        • 1. Re: Login Fail Detail Message
          BKBK Community Member

          cfcatch.detail or cfcatch.stacktrace should give you more details

          • 2. Re: Login Fail Detail Message
            Phinehas1234 Community Member

            Yes, cfcatch.stacktrace can give me more details.

             

            But,

            If I input an incorrect password, it prompted me "Error authenticating user: XXXXX in the Windows domain" (I expected it should say password incorrect.)

            java.lang.Exception: Error authenticating user: XXXXX in the Windows domain at jrun.security.NTAuth.AuthenticateUser(NTAuth.java:113) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:87) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2260) at cfntsecurity2ecfc1797929604$funcAUTHENTICATEUSER.runFunction(E:\Inetpub\JEC Intranet\tender\ntsecurity.cfc:29) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:418) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:324) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:56) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:277) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:463) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:453) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:320) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2210) at coldfusion.tagext.lang.InvokeTag.doEndTag(InvokeTag.java:358) at coldfusion.runtime.CfJspPage._emptyTag(CfJspPage.java:2645) at cfApplication2ecfm377834145.runPage(E:\Inetpub\JEC Intranet\tender\Application.cfm:82) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:192) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:366) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:214) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:86) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:74) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:2 8) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126) at coldfusion.CfmServlet.service(CfmServlet.java:175) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42 ) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:284) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

             

            If I input an incorrectly login name, it prompted me as the following: (I expected it should say username cannot be found)

            java.lang.RuntimeException: The user name could not be found. ......

             

            Also, if the password is expired, it should say "Password expired".

             

             

            However, stacktrace details cannot help me to find out the login failure problem.

            • 3. Re: Login Fail Detail Message
              BKBK Community Member

              I do believe that that is intentional. Any authentication-failure message that tells you "password incorrect" or "username could not be found" might be giving away too much information. After all, the context is security. You wouldn't want to reveal more about your security than is necessary.

               

              Suppose, for example, the username is e-mail. Suppose also that your authentication gives out error messages as above. Then I could, without having anything to do with your site, easily find out whether an arbitrary e-mail address belongs to your list of clients.

               

              However, if you insist, you could easily extend your code to validate for password or username. That should happen before the authentication code.

               

              Something like this comes to mind:

               

              <cfquery name="credentials" datasource="myDSN">

              select username, pword

              from client

              where username = <cfqueryparam value="#form.username#"  cfsqltype="cf_sql_varchar" maxlength="20">

              or pword = <cfqueryparam  value="#form.password#"  cfsqltype="cf_sql_varchar"   maxlength="10">

              </cfquery>

               

              <cfif credentials.recordcount GT 0 and listfindnocase(valuelist(credentials.username),form.username) EQ 0>

              <!--- password matched, username didn't--->

              <cfelseif credentials.recordcount EQ 1 and compare(credentials.pword, form.password) NEQ 0>

              <!--- username matched, password didn't--->

              <cfelseif credentials.recordcount EQ 1 and compareNoCase(credentials.username, form.username) EQ 0 and compare(credentials.pword, form.password) EQ 0>

              <!--- username and password matched --->

              <cfelse>

              <!--- no match --->

              </cfif>

              • 4. Re: Login Fail Detail Message
                Phinehas1234 Community Member

                I understand your point.

                 

                However, we use windows account to login the system, our system will not store their password.

                 

                And, sometimes users can login successfully but sometimes cannot. After reseting their windows login password, they can login the system again. Therefore, I would like to know how this happen and how to solve it. Since we have checked their windows login account, their account does not have the password expired and locked problem. There should be any other issue so users cannot login.

                 

                Do you have any information related to this issue?