Bug 1014048

Summary: RBAC: Log in right after log out wont clear UI properly in domain mode
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Jakub Cechacek <jcechace>
Component: Web ConsoleAssignee: Harald Pehl <hpehl>
Status: CLOSED CANTFIX QA Contact: Jakub Cechacek <jcechace>
Severity: urgent Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.2.0CC: brian.stansberry, dosoudil, hpehl, jcechace, jdoyle, jkudrnac, lcosti, lthon, myarboro, pm-jboss, smumford
Target Milestone: Pending   
Target Release: TBD EAP 7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
In some cases, when logging out of the Web Console, the console is partially rendered before logging in as another user. This leads to "mixed" content where parts of the screen are rendered as if the old user was logged in and parts of the screen as the new user was logged in. This issue is not a security risk and no sensitive data will be revealed. As a workaround, close the browser window (not just the active tab) and log in as the new user.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-05 14:36:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Missing application reload
none
Application reloaded correctly
none
screencast none

Description Jakub Cechacek 2013-10-01 10:19:59 UTC 
Created attachment 805824 [details]
Missing application reload

Description of problem:
Sometimes Log in right after log out wont clear UI cache properly - UI looks like the previous user is still logged in. This issue might be related to the fix of BZ1010662, however this time the previously authenticated user is logged out properly.

The issue seems to be in missing "application reload" after logout and reloading the page after login will fix the UI (see attachments)
Comment 1 Jakub Cechacek 2013-10-01 10:20:40 UTC 
Created attachment 805825 [details]
Application reloaded correctly
Comment 2 Heiko Braun 2013-10-02 13:53:33 UTC 
I don't understand the issue description. Several questiona: 

- What UI cache are you talking about? 
- What "missing application reload" are you talking about?
- What should I see/understand when looking at the attached image?

Maybe can elaborate on this?
Comment 3 Jakub Cechacek 2013-10-02 17:27:11 UTC 
Sorry for the vague information, this  one is a bit tricky to describe and I wasn't able to find a 100% reliable reproducer. Let me try again. 


Usually after logout browser window is reloaded and the login screen looks like on the screen "Application reloaded correctly" and after new user is successfully authenticated the whole application is loaded. However what sometimes happens can be seen on second screenshot "Missing application reload", where the browser window was not reloaded and after authentication user will see the application as it was displayed to the previous user 


Reproducer (take this more as an example)

1) login as administrator
2) navigate to some unrestricted resource page under profiles (e.g. Datasources)
3) logout (login page might look like on "Missing application reload" screenshot)
4) login as monitor 
5) you might see some parts of UI previously displayed to administrator (e.g. "Administration" tab in navigation)
Comment 4 JBoss JIRA Server 2013-10-04 09:07:50 UTC 
Heiko Braun <ike.braun> updated the status of jira HAL-245 to Resolved
Comment 7 Jakub Cechacek 2013-10-08 10:17:06 UTC 
UI is still not cleared properly

Steps to reproduce:

1) Log in as Administrator (or any other role)
2) Navigate to profiles and log out
3) Log in as Monitor (or any other role)
4) Leave and Re-visit Runtime section 
5) Log out 
6) Welcome page is still rendered in the background of auth dialog 
7) Log in as Administrator again 
8) Some UI elements were not reloaded - e.g. current user in top right corner
Comment 8 JBoss JIRA Server 2013-10-08 12:34:19 UTC 
Heiko Braun <ike.braun> updated the status of jira HAL-245 to Reopened
Comment 9 JBoss JIRA Server 2013-10-08 12:34:19 UTC 
Heiko Braun <ike.braun> made a comment on jira HAL-245

According to Jakub this problem still exists.
Comment 10 JBoss JIRA Server 2013-10-09 06:55:44 UTC 
Heiko Braun <ike.braun> updated the status of jira HAL-245 to Resolved
Comment 11 JBoss JIRA Server 2013-10-09 09:46:32 UTC 
Heiko Braun <ike.braun> updated the status of jira HAL-245 to Reopened
Comment 12 Harald Pehl 2013-10-25 13:03:15 UTC 
Could not reproduce testing on OSX with
- Chrome 31.0.1650.34 beta
- Firefox 24.0
- Safari 7.0 (9537.71)


On what browsers / OS did the error occur?
Comment 13 Jakub Cechacek 2013-10-29 14:43:57 UTC 
Fedora 19
- Firefox 15
- Chrome 28.0.1500.95

I will try to reproduce this on RHEL and let you know.
Comment 14 Harald Pehl 2013-10-29 23:15:30 UTC 
The logout works in most browser / os combinations. However there are edge cases where the log out does not work as expected. Fixing the logout for those edge cases is just not possible for EAP 6.2. 

The reason therefore is that we're using digest authentication which is under the control of the browser. The login is valid until the browser is closed. There are some ways and means to make the browser forget about digest authentications, but they're just workarounds which do not apply to all browsers / os combinations. 

That is why I'd like to remove this as a blocker for EAP 6.2. Closing the browser window should be used as a workaround for those browser / os combinations where the logout does not work.

I suggest to postpone the issue until https://issues.jboss.org/browse/HAL-96 is in place and we have full control over the authentication.
Comment 15 Ladislav Thon 2013-10-30 07:25:24 UTC 
Can we at least detect that logout wasn't successful and show an information message? Or maybe show that message all the time -- we are depending on the browsers and they are complicated beasts...

Note that I don't really understand how these things are implemented in the console, so I'm more like thinking out loud here.
Comment 16 Harald Pehl 2013-10-30 09:01:18 UTC 
Actually the logout is done on the server side by using all the recommended workarounds you'll find when you google for "logout digest authentication". What it makes even worse for the console, is the fact that we're using async HTTP requests. 

The bottom line is that there's just no reliable way to logout from digest authentication. The only true logout for digest authentication is to close the browser window (not just the active tab).
Comment 17 John Doyle 2013-10-30 19:35:51 UTC 
So the logout is successful, and anything the user sees with the new role will have the permissions of the new role enforced?  So no security hole?

If so, then I think we can remove the blocker flag and release note the issue.
Comment 18 Harald Pehl 2013-10-30 19:50:20 UTC 
In some cases there are race conditions which lead to "mixed content". Mixed content to that effect that sometimes the header shows the old role, while the remaining part of the screen already uses the new role. 

However for me there are no security holes because you have to login at any rate before you can goon.
Comment 20 Jakub Cechacek 2013-11-11 12:36:17 UTC 
Created attachment 822381 [details]
screencast

Recording of this issue
Comment 21 Scott Mumford 2013-12-02 01:47:37 UTC 
Modified supplied Docs Text content and marked for inclusion in the 6.2 Release Notes document.
Comment 22 Harald Pehl 2014-03-05 14:36:00 UTC 
This bug cannot be fixed unless https://issues.jboss.org/browse/HAL-96 or a similar solution is in place.