Tightening UI message security

By default, the template messages expose information to the end user regarding the existence and validity of a user account, as well as other status information. The default messages make initial system familiarization and testing easier. Depending on the production deployment environment and security policy in place, the exposure of extra information can be easily limited by modifying the error messages accordingly. This will prevent brute force style attacks searching for valid user accounts at the expense of user friendliness.

Example system default messages in custom/messages/errors.properties
USER_NOT_FOUND = The user was not found
USER_NOT_IDENTIFIED = Cannot identify user
ACCOUNT_DISABLED = The user account is disabled
ACCOUNT_LOCKED = The user account is locked
ACCOUNT_INVALID = The user account is invalid
ACCOUNT_EXPIRED = The user account has expired
INVALID_CREDENTIALS = Invalid credentials


Example customized messages in custom/messages/errors.properties
USER_NOT_FOUND = The provided credentials are invalid.
USER_NOT_IDENTIFIED = The provided credentials are invalid.
ACCOUNT_DISABLED = The provided credentials are invalid.
ACCOUNT_LOCKED = The provided credentials are invalid.
ACCOUNT_INVALID = The provided credentials are invalid.
ACCOUNT_EXPIRED = The provided credentials are invalid.
INVALID_CREDENTIALS = The provided credentials are invalid.

Similar modifications can be made to all authentication method messages, according to the security policy needs of the deployment. Such modifications should be made to all localized versions, e.g., custom/messages/errors_<locale>.properties, as well as to the system default messages in custom/messages/errors.properties.

For user support, the addition of error code numbers to the end of each localized message displayed could be used to assist support staff in quickly identifying error situations. Below, the same message in different languages gives the same error code to assist support staff in identifying the error in a multi-language user environment.

ACCOUNT_LOCKED = The provided credentials are invalid. [ERR0001]
ACCOUNT_LOCKED = Tunnistustiedot olivat väärät. [ERR0001]