Hide Forgot
Description of problem: When logging in as user without the 'overlorduser' role, standard HTTP error page is displayed. Version-Release number of selected component (if applicable): 6.0.0.ER4 How reproducible: 100% Steps to Reproduce: 1. create a new user in overlord-idp-users.properties 2. start the server 3. try log in as defined user 4. default HTTP error page is displayed Actual results: default HTTP error page is displayed Expected results: Error msg similar when logging in with bad password Additional info: JBWEB000065: HTTP Status 403 - JBWEB000015: Access to the requested resource has been denied JBWEB000309: type JBWEB000067: Status report JBWEB000068: message JBWEB000015: Access to the requested resource has been denied JBWEB000069: description JBWEB000123: Access to the specified resource has been forbidden. JBoss Web/7.2.0.Final-redhat-1
Interestingly, I tried this on FSW6 ER4 and in the community edition of s-ramp (running on EAP 6.1) and in both cases I get an empty white page in the browser, with the following picketlink error on the console: JBWEB001018: An exception or error occurred in the container during the request processing: java.lang.RuntimeException: PLFED000092: Null Value: Destination is null Along with a stack trace triggered by: at org.picketlink.identity.federation.web.util.PostBindingUtil.sendPost (PostBindingUtil.java:101) Andrej - can you confirm that you get a standard 403 web page (screen shot it for me?) and confirm the version of picketlink in your EAP?
Update: if I update EAP 6.1's picketlink from 2.1.6.Final to 2.1.8.Final then the stack trace goes away and I get the expected default jboss 403 error page. Anil pointed me to this: https://issues.jboss.org/browse/PLINK2-82 It may or may not be helpful. I will fix this issue by creating appropriate 403 handlers in the Overlord web applications, but picketlink will need to be patched for those pages to get hit.
I added reasonable 403 error pages to all of the Overlord web apps (gadget server, dtgov, s-ramp). It won't refresh the login screen, but will rather show a static 403 page with a link to let the user log out. Again, these pages won't show up unless a patched version of picketlink is being used. If picketlink 2.1.6.Final is being used, then a blank white page will likely show up instead.
Created attachment 809151 [details] 403 page
I swear that yesterday the 403 page was displayed every time.. today I found out: 1. start server 2. login as user without 'overlorduser' role Will result in a blank page without 403 and exception in console but: 1. start server 2. log in as admin (has 'overlord' user role) 3. log out admin 4. immediately login as user without 'overlorduser' role Will display a 403 page without exception in console My eap's picketlink version is 2.1.6.Final
Ok great, thanks for the additional comments. I think this confirms that the full solution to this issue requires a patch to picketlink.
Hi, verified on ER7-2