In some cases, when logging out of the Web Console, the console is partially rendered before logging in as another user. This leads to "mixed" content where parts of the screen are rendered as if the old user was logged in and parts of the screen as the new user was logged in.
This issue is not a security risk and no sensitive data will be revealed.
As a workaround, close the browser window (not just the active tab) and log in as the new user.
Created attachment 805824 [details]
Missing application reload
Description of problem:
Sometimes Log in right after log out wont clear UI cache properly - UI looks like the previous user is still logged in. This issue might be related to the fix of BZ1010662, however this time the previously authenticated user is logged out properly.
The issue seems to be in missing "application reload" after logout and reloading the page after login will fix the UI (see attachments)
Created attachment 805825 [details]
Application reloaded correctly
I don't understand the issue description. Several questiona:
- What UI cache are you talking about?
- What "missing application reload" are you talking about?
- What should I see/understand when looking at the attached image?
Maybe can elaborate on this?
Sorry for the vague information, this one is a bit tricky to describe and I wasn't able to find a 100% reliable reproducer. Let me try again.
Usually after logout browser window is reloaded and the login screen looks like on the screen "Application reloaded correctly" and after new user is successfully authenticated the whole application is loaded. However what sometimes happens can be seen on second screenshot "Missing application reload", where the browser window was not reloaded and after authentication user will see the application as it was displayed to the previous user
Reproducer (take this more as an example)
1) login as administrator
2) navigate to some unrestricted resource page under profiles (e.g. Datasources)
3) logout (login page might look like on "Missing application reload" screenshot)
4) login as monitor
5) you might see some parts of UI previously displayed to administrator (e.g. "Administration" tab in navigation)
Heiko Braun <firstname.lastname@example.org> updated the status of jira HAL-245 to Resolved
UI is still not cleared properly
Steps to reproduce:
1) Log in as Administrator (or any other role)
2) Navigate to profiles and log out
3) Log in as Monitor (or any other role)
4) Leave and Re-visit Runtime section
5) Log out
6) Welcome page is still rendered in the background of auth dialog
7) Log in as Administrator again
8) Some UI elements were not reloaded - e.g. current user in top right corner
Heiko Braun <email@example.com> updated the status of jira HAL-245 to Reopened
Heiko Braun <firstname.lastname@example.org> made a comment on jira HAL-245
According to Jakub this problem still exists.
Could not reproduce testing on OSX with
- Chrome 31.0.1650.34 beta
- Firefox 24.0
- Safari 7.0 (9537.71)
On what browsers / OS did the error occur?
- Firefox 15
- Chrome 28.0.1500.95
I will try to reproduce this on RHEL and let you know.
The logout works in most browser / os combinations. However there are edge cases where the log out does not work as expected. Fixing the logout for those edge cases is just not possible for EAP 6.2.
The reason therefore is that we're using digest authentication which is under the control of the browser. The login is valid until the browser is closed. There are some ways and means to make the browser forget about digest authentications, but they're just workarounds which do not apply to all browsers / os combinations.
That is why I'd like to remove this as a blocker for EAP 6.2. Closing the browser window should be used as a workaround for those browser / os combinations where the logout does not work.
I suggest to postpone the issue until https://issues.jboss.org/browse/HAL-96 is in place and we have full control over the authentication.
Can we at least detect that logout wasn't successful and show an information message? Or maybe show that message all the time -- we are depending on the browsers and they are complicated beasts...
Note that I don't really understand how these things are implemented in the console, so I'm more like thinking out loud here.
Actually the logout is done on the server side by using all the recommended workarounds you'll find when you google for "logout digest authentication". What it makes even worse for the console, is the fact that we're using async HTTP requests.
The bottom line is that there's just no reliable way to logout from digest authentication. The only true logout for digest authentication is to close the browser window (not just the active tab).
So the logout is successful, and anything the user sees with the new role will have the permissions of the new role enforced? So no security hole?
If so, then I think we can remove the blocker flag and release note the issue.
In some cases there are race conditions which lead to "mixed content". Mixed content to that effect that sometimes the header shows the old role, while the remaining part of the screen already uses the new role.
However for me there are no security holes because you have to login at any rate before you can goon.
Created attachment 822381 [details]
Recording of this issue
Modified supplied Docs Text content and marked for inclusion in the 6.2 Release Notes document.
This bug cannot be fixed unless https://issues.jboss.org/browse/HAL-96 or a similar solution is in place.