HTTP Status 401 - Basic Authentication requires a valid HTTP Authorization header be supplied.

wvalencak · ‎Mar 04, 2015

Is there a way to make the HTTP 401 message exactly the same whether the inputted user name exists or not? Currently there are 2 different responses:

If the user name exists, and the password is invalid:

HTTP Status 401 - Authentication failed for , please make sure the credentials are correct

If the user name is not valid:

HTTP Status 401 - Basic Authentication requires a valid HTTP Authorization header be supplied.

2nd attempt with invalid user name:

HTTP Status 401 - Invalid User Name

This is being flagged as "user name enumeration" in our security penetration tests since a hacker could exploit this to see which user names are valid in out Thingworx system.

smanley · ‎Mar 04, 2015

Are you using a custom login or the default login from the browser?

wvalencak · ‎Mar 04, 2015

We are using the default login -- the one that you get if you navigate to /Thingworx/Composer/index.html or any other similar url. The browser pops up a standard basic auth login dialog, and then gives one of the above error messages if you cancel the dialog. Detailed Tomcat error messages are turned off, but we had the same issue when they were turned on.

smanley · ‎Mar 04, 2015

This is a known error that has been reported to R&D

How to prevent user enumeration in HTTP Basic auth

How to prevent user enumeration in HTTP Basic auth

HTTP Status 401 - Basic Authentication requires a valid HTTP Authorization header be supplied.