Details
-
Bug
-
Resolution: Timed out
-
Low
-
2.5.0, 2.6.0
-
None
-
Severity 3 - Minor
-
Description
we have code that goes:
if (!isPasswordCorrect())
{ throw new IOException("password was incorrect") }but isPasswordCorrect can return false for more reasons than that. it logs the specific reason to debug level.
instead, it should throw the specific exception itself so that the user can see exactly whats going wrong. this sort of error should never be logged to debug.
the method is SSLUtils.isCorrectKeystorePassword
it is called in two places. from the WebServer and from EditServerSettingsAction - used for validation. The validation xml has the same problem. it has a "incorrect password" message regardless of why it returned false.