Community Tip - Want the oppurtunity to discuss enhancements to PTC products? Join a working group! X
Is there a way to make the HTTP 401 message exactly the same whether the inputted user name exists or not? Currently there are 2 different responses:
If the user name exists, and the password is invalid:
HTTP Status 401 - Authentication failed for , please make sure the credentials are correct
If the user name is not valid:
2nd attempt with invalid user name:
HTTP Status 401 - Invalid User Name
This is being flagged as "user name enumeration" in our security penetration tests since a hacker could exploit this to see which user names are valid in out Thingworx system.
Are you using a custom login or the default login from the browser?
We are using the default login -- the one that you get if you navigate to /Thingworx/Composer/index.html or any other similar url. The browser pops up a standard basic auth login dialog, and then gives one of the above error messages if you cancel the dialog. Detailed Tomcat error messages are turned off, but we had the same issue when they were turned on.
This is a known error that has been reported to R&D