Configuration of the account expiration error message

WebSEAL returns an error message to a user when a login attempt fails. The message is conveyed through the ERROR macro contained in the appropriate account management page returned to the user. The generic error message ("Login failed") applies to a variety of situations where the user has supplied authentication information that is not valid, such as an incorrect user name or password.

We can use the account-expiry-notification stanza entry in the [acnt-mgt] stanza of the WebSEAL configuration file to control whether additional information is revealed in the error message when the login failure is due to an expired account.

The default "no" setting allows only the generic error message ("Login failed") to be returned when the user login fails due to an expired user account:

[acnt-mgt]
account-expiry-notification = no

A "yes" setting for the account-expiry-notification stanza entry allows a more detailed error message to be returned when the user login fails due to an expired user account. This more detailed error message ("Account expired") indicates the exact reason for the failure (an expired account):

[acnt-mgt]
account-expiry-notification = yes

Note the "Account expired" message implies the correct user name is being used. This level of information might be considered a security exposure in some environments.

Parent topic: Account management page configuration