[Twisted-Python] enterprise.dbcred.DatabaseAuthorizer

Justin Ryan justin at gnubia.net
Sat Apr 26 12:23:14 EDT 2003


> Maybe you want to produce more detailed errors why the auth failed. I.e. when 
> you have several services and a user isn't subscribed to one of them you'll 
> get an "unknown user" error,  I think you should get a different error saying 
> something about "service subscribtion" if the user is subscribed to other 
> services on the same server.

This is an arguable point..

Consider, from a security standpoint, that an attacker is trying to
brute-force your server.  'service subscription' error says 'you have
correctly guessed a username, but are attempting to access the wrong
service'.  Having a valid username is much closer to a username/password
pair than not having a valid username.. ;p

Perhaps it should be configurable to behave both ways.

-Justin





More information about the Twisted-Python mailing list