How to disable check username API

Document ID : KB000006497
Last Modified Date : 14/02/2018
Show Technical Document Details

How to disable check username API

http://<portal hostname>/register/check/username?username=admin


If an API call(get) is done for http://<portal hostname>/register/check/username?username=admin

without any credentials, it gives out a message saying

"The name  admin is already in use, please choose something else"

This helps an attacker to know that this user exists and can exploit this situation.


Disable this API using the following procedure

1. In a browser use http://<portal>/admin (login using admin account)

2. click on workspace --> Content items --> System --> conf 

3. Choose the edit button next to properties.xml 

4. Change <Property name="disableCheckUsername" value="no" /> 


<Property name="disableCheckUsername" value="yes" /> 

5. Choose Save 

6. To publish this file, click on the green arrow next to properties.xml 

7. restart portal (service apiportal restart) 


Now check http://<portal>/register/check/username?username=admin 

This will now throw a page cannot be displayed error.