Skip to main content
A
Anonymous
March 23, 2012
Question

Login Fail Detail Message

  • March 23, 2012
  • 1 reply
  • 1404 views

Hi,

We are using the following method to login systems.

<cftry>

<cfscript>

ntauth = createObject("java", "jrun.security.NTAuth");

ntauth.init(arguments.domain);

ntauth.authenticateUser(arguments.userid, arguments.passwd);

</cfscript>

<cfcatch>

<cfset errMessage = cfcatch.Message>

</cfcatch>

</cftry>

However, sometimes users reported that they failed to login system. We suggest them to reset their password and it can solve the problem. However, we found that some login failure cases are not because of password expired or locked windows account. How can I get more detail message (e.g. locked windows account, password expired, password incorrect and so on) for checking the reason of failure?

    This topic has been closed for replies.

    1 reply

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    March 23, 2012

    cfcatch.detail or cfcatch.stacktrace should give you more details

    A
    Anonymous
    March 23, 2012

    Yes, cfcatch.stacktrace can give me more details.

    But,

    If I input an incorrect password, it prompted me "Error authenticating user: XXXXX in the Windows domain" (I expected it should say password incorrect.)

    java.lang.Exception: Error authenticating user: XXXXX in the Windows domain at jrun.security.NTAuth.AuthenticateUser(NTAuth.java:113) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:87) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2260) at cfntsecurity2ecfc1797929604$funcAUTHENTICATEUSER.runFunction(E:\Inetpub\JEC Intranet\tender\ntsecurity.cfc:29) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:418) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:324) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:56) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:277) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:463) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:453) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:320) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2210) at coldfusion.tagext.lang.InvokeTag.doEndTag(InvokeTag.java:358) at coldfusion.runtime.CfJspPage._emptyTag(CfJspPage.java:2645) at cfApplication2ecfm377834145.runPage(E:\Inetpub\JEC Intranet\tender\Application.cfm:82) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:192) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:366) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:214) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:86) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:74) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126) at coldfusion.CfmServlet.service(CfmServlet.java:175) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:284) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

    If I input an incorrectly login name, it prompted me as the following: (I expected it should say username cannot be found)

    java.lang.RuntimeException: The user name could not be found. ......

    Also, if the password is expired, it should say "Password expired".

    However, stacktrace details cannot help me to find out the login failure problem.

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    March 23, 2012

    I do believe that that is intentional. Any authentication-failure message that tells you "password incorrect" or "username could not be found" might be giving away too much information. After all, the context is security. You wouldn't want to reveal more about your security than is necessary.

    Suppose, for example, the username is e-mail. Suppose also that your authentication gives out error messages as above. Then I could, without having anything to do with your site, easily find out whether an arbitrary e-mail address belongs to your list of clients.

    However, if you insist, you could easily extend your code to validate for password or username. That should happen before the authentication code.

    Something like this comes to mind:

    <cfquery name="credentials" datasource="myDSN">

    select username, pword

    from client

    where username = <cfqueryparam value="#form.username#"  cfsqltype="cf_sql_varchar" maxlength="20">

    or pword = <cfqueryparam  value="#form.password#"  cfsqltype="cf_sql_varchar"   maxlength="10">

    </cfquery>

    <cfif credentials.recordcount GT 0 and listfindnocase(valuelist(credentials.username),form.username) EQ 0>

    <!--- password matched, username didn't--->

    <cfelseif credentials.recordcount EQ 1 and compare(credentials.pword, form.password) NEQ 0>

    <!--- username matched, password didn't--->

    <cfelseif credentials.recordcount EQ 1 and compareNoCase(credentials.username, form.username) EQ 0 and compare(credentials.pword, form.password) EQ 0>

    <!--- username and password matched --->

    <cfelse>

    <!--- no match --->

    </cfif>

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices