initially I was reading some exception knowledge in java.I went through some suggestions such as don’t use customer exception if there is a already well-defined exception in jdk and dont use customer exception to handle workflow. I agree with these points and they are absolutely right. Now I was thinking of how to handle this scenario. It is quite straightforward. user login.
1 username not exist
2 password wrong
these will be known in DAO layer and I have to populate useful information to the controller layer(ultimately) and let the controller know what was going on and display useful hints in the view.
when I first learning java I was doing like this
these are pseudocode;
if(usernotexit)
{throw usernotExistException()}
if(password_wrong)
{throw passwordWrongException()}
is this a good practice? if not, how to do it properly ?
Assuming some code higher up the stack is catching the exceptions and displaying useful information, there’s no problem with this general approach.
HOWEVER, for security exceptions in this case, it is wise to NOT distinguish between these two conditions in the message to the user. If you tell the user which one is wrong, this information can be used to probe for valid users.
The response returned to the user for either condition should be “Authentication Failed”. That way you have not given away any useful information (that the user exists, for instance).
Note that internally you may want to discriminate the cases for logging purposes. Just don’t tell the user which one occurred.