How to show JAAS LoginException on error page

Question

I am using JAAS and form based web authentication on a Tomcat 8.x web server. There are many possible reasons why a user gets denied access when trying to log in:

1. invalid username
2. invalid password
3. doesn't have account in database
4. account in database is not active
5. account in database doesn't have required roles
6. etc....

In my LoginModule, I check for all these conditions and more, and throw a LoginException if the user should not be allowed to access the web app. JAAS seems to catch the thrown LoginException, throw it away, and redirect the user to the error page specified in the web.xml .

I have spent hours and hours googling around trying to find a way to obtain the reason for the login exception but have come up empty.

Is there any way for the error page to find out the reason why the LoginException was thrown?

Answer 1

1. invalid username
2. invalid password

You should not distinguish these two cases. Doing so constitutes an information leak to the attacker, by reducing his search space once he has found a valid username. You should just report 'invalid username/password combination' or similar.

3. doesn't have account in database

This is identical to (1).

4. account in database is not active

This again should not be distinguished, as above.

5. account in database doesn't have required roles

This is not a login failure. This becomes an access denial when the user performs something that requires a missing role, or it causes the user interface not to display actions for the missing roles.

The solution I adopted to passing appropriate JAAS errors out to the application was to add them as public credentials of the Subject.