Bug 1212185
| Summary: | Login with user without predefined roles causes infinite redirect loop | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] JBoss BPMS Platform 6 | Reporter: | Rajesh Rajasekaran <rrajasek> | ||||
| Component: | BAM | Assignee: | David Gutierrez <dgutierr> | ||||
| Status: | CLOSED EOL | QA Contact: | Gui Jospin <gjospin> | ||||
| Severity: | high | Docs Contact: | Dawn Eisner <deisner> | ||||
| Priority: | high | ||||||
| Version: | 6.0.3 | CC: | alazarot, dgutierr, kverlaen, mbaluch, mshirley, rrajasek, vhalbert | ||||
| Target Milestone: | CR1 | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | 1209565 | Environment: | |||||
| Last Closed: | 2020-03-27 20:06:24 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1209565 | ||||||
| Bug Blocks: | 1209560, 1220522 | ||||||
| Attachments: |
|
||||||
|
Comment 2
David Gutierrez
2015-05-05 15:01:43 UTC
given the comment above I am setting this BZ as MODIFIED I did some preliminary testing with with EAP 6.4 and tomcat and it's working fine (no more redirect loops). Will test with other containers when we'll have received this fix in the next rollup patch. I tested this with all containers we certify 6.1.1 against. The redirect issue has been resolved for the following containers:
EAP 6.4
EWS 2 (tomcat 7)
EWS 3 (tomcat 8)
Oracle WebLogic
However, the fix is NOT working on IBM Web Sphere. The behavior is as follows:
after entering the problematic user credentials (= correct username & password, but user doesn't have any of the 5 predefined business central roles, he only has some unrelated role) instead of login error page (which we want) the following stacktrace appears (full stacktrace in attachment).
The problem is that after user reloads the page with URL like:
<hostname>:9080/dashbuilder, This stacktrace remains remains displayed and login page is not reloaded. However it can be worked around by typing
<hostname>:9080/dashbuilder/login.jsp as URL to make the login page appear again.
-----------
Error Page Exception
SRVE0260E: The server cannot use the error page specified for your application to handle the Original Exception printed below.
Original Exception:
Error Message: com.ibm.ws.security.web.WebSecurityException: AuthorizationFailed
Error Code: 403
Target Servlet:
Error Stack:
com.ibm.ws.security.web.WebSecurityException: AuthorizationFailed
at com.ibm.ws.security.web.EJSWebCollaborator.preInvoke(EJSWebCollaborator.java:438)
at com.ibm.ws.webcontainer.collaborator.WebAppSecurityCollaboratorImpl.preInvoke(WebAppSecurityCollaboratorImpl.java:230)
at com.ibm.wsspi.webcontainer.collaborator.CollaboratorHelper.preInvokeCollaborators(CollaboratorHelper.java:432)
Created attachment 1028771 [details]
Error after entering problematic credentials on webSphere
The good news is that the DV product is based on EAP. The current fix should be fair enough. The other thing is that on WebSphere, as far as I know, there is no known solution. If the user does not have any of the allowed roles then the security manager will complain with that error message. I do believe, the only thing we can do is to document this corner case in the product documentation. Vikram - can you please put a note to the documentation? Thx! Vikram, the issue itself is fixed and verified on 6.1.1. The fix has one one limitation thought and that is described by David in comment #8. That's what I would like to ask you to document. Can we put a note somewhere into documentation and remove this BZ from the known list? Thank you. Marek, could this be set as VERIFIED ? Alessandro - Yes - moving to VERIFIED. |