Bug 781153 (SOA-3652)

Summary: User cannot login to JUDDI Console under certain conditions
Product: [JBoss] JBoss Enterprise SOA Platform 5 Reporter: Joshua Wulf <jwulf>
Component: jUDDI - within SOAAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 5.2.0 GACC: kevin.conner, tcunning
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/SOA-3652
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
In some instances, users are unable to login to the jUDDI console. This occurs when a user attempts to log into the console without having the JBossAdmin role. As a result, they cannot log into the jUDDI console until the server is restarted, even once they have been assigned the JBossAdmin role.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Joshua Wulf 2011-12-02 05:21:10 UTC 
Steps to Reproduce:   To demonstrate this:
   
   1. Create four users:
   
     soa-users.properties:
   
       user1=user1
       user2=user2
       user3=user3
       user4=user4
   
   2. Give them the following roles:
   
     soa-roles.properties:
   
       user1=JBossAdmin
       user2=user,JBossAdmin
       user3=user
       user4=user
   
   3. Start the server: 
     ./run.sh
   
   4. Go to 127.0.0.1:8080/uddi-console
   
   5. Log in as user1/user1
     Result: Successful login
       Rule: User with JBossAdmin role is allowed to log in.
     
   6. Log out as user1, and log in as user2/user 2
     Result: Successful login
       Rule: User with JBossAdmin role is allowed to log in.
       
   7. Log out as user 2, and log in as user3/user3
     Result: Denied login
       Rule: User without JBossAdmin role is not allowed to log in.
       
   8. Edit soa-roles.properties, and change the user4 line to:
     user4=user,JBossAdmin
       
   9. Use an incognito window (because the console seems to cache something that stops you from logging in). Log in as user4/user4
      Result: Successful login
        Rule: User who has JBossAdmin role added is allowed to log in.
     
   10. Log out as user 4. Edit soa-roles.properties and change the user 3 line to:
     user3=user,JBossAdmin
     
   11. Log in as user3/user3.
     Result: Denied login.
       Rule: User who has JBossAdmin role added but has been denied login for lack of role since the server was started is not allowed to log in.
 
   Observation: 10 and 11 is like 8 and 9, except that user3 has previously attempted to login without the JBossAdmin role, whereas user4 had not.  
   
   12. Log in as user4/user4.
     Result: Successful login
       Rule: User who has JBossAdmin role added is allowed to log in.
     
   13. Edit soa-roles.properties and change the user4 line to:
     user4=user
     
   14. Logout as user4.
   
   15. Login in as user4/user4.
     Result: Denied login.
       Rule: User who has does not have JBossAdmin role is not allowed log in.
              
   16. Edit soa-roles.properties and change the user4 line to:
     user4=user,JBossAdmin
     
   17. Login as user4/user4
     Result: Denied login.
       Rule: User who has JBossAdmin role added but has been denied login for lack of role since the server was started is not allowed to log in.

   18. Restart the server.
   
   19. Login as user4/user4
     Result: Successful login.
Workaround Description: Restart the server.
project_key: SOA

The JUDDI Console requires a user to have the role JBossAdmin to log in. 

Users can be granted the JBossAdmin role while the server is running. However, if a user attempts to log in to the JUDDI Console without having the JBossAdmin role, then they will be unable to log in to the JUDDI Console even when they are assigned the JBossAdmin role, until the server is restarted.
   
   1. User roles can be removed from a user while the server is running
   2. User roles can be added to a user while the server is running
   3. Attempting to add the JBossAdmin role to a user who has had a failed login to the JUDDI Console does not allow the user to log in to the JUDDI Console until the server is restarted. 
   
The current behaviour seems like a bug.
Comment 1 Kevin Conner 2011-12-02 17:14:17 UTC 
This may have more to do with the caching in the JaasSecurityManager than anything specific to the uddi-console.  Was this disabled before the test was run?

The configuration is in conf/jboss-service.xml and, by default, stores the credentials from a successful login for 30 minutes.
Comment 2 Joshua Wulf 2012-02-03 03:18:14 UTC 
It was a stock installation of the SOA Platform with no other post-install modifications than the ones documented above.

We were investigating the post-installation workflow and user experience.
Comment 3 Suz 2012-06-15 03:25:04 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
In some instances, users are unable to login to the jUDDI console. This occurs when a user attempts to log into the console without having the JBossAdmin role. As a result, they cannot log into the jUDDI console until the server is restarted, even once they have been assigned the JBossAdmin role.