Description of problem: When Enable Login Without Roles = No ( logins are not allowed for users not assigned to any role ) and LDAP user is not mapped to any JON roles, The LDAP user's first login to JON GUI refreshes the screen and user remains the login screen without any message. User is registered to JON behind the screen on the first attempt but remains unknown about this. ( after this, if user logs in as rhqadmin , the LDAP user can be seen listed in Administration->Users list ) The second attempt to login shows the message in UI "The username or password provided does not match our records. Please, fill in the fields again. " with below stack trace in server log: ERROR [org.rhq.enterprise.gui.authentication.AuthenticateUserAction] (http-/0.0.0.0:7080-1) Could not log into the web application: org.rhq.enterprise.server.exception.LoginException: There are no preconfigured roles for user [vijay] The second LDAP user login attempt provides the message to user, however, as there is no message to user on first attempt, there might be confusion as he remains on the login page without message. Version-Release number of selected component (if applicable): Version : 3.3.0.ER04 Build Number : 99d2107:d7c537e LDAP : Windows server 2008 Active directory How reproducible: Always Steps to Reproduce: 1. The system setting 'Enable Login Without Roles' in UI has value 'No' 2. There is mapping between JON roles and LDAP groups 3. Try to login as ldap user 'vijay' 4. The login screen refreshes, without any message. 5. Try second attempt of login with same user. 6. The second attempt to login shows the message in UI "The username or password provided does not match our records. Please, fill in the fields again." Actual results: When Enable Login Without Roles = No and LDAP user is not mapped to any JON roles, in the first LDAP login attempt, there is no message to user and he remains on the login screen, and gets the message on second attempt. Expected results: A message to LDAP user on first login attempt. Additional info:
sorry about the mistake in 2nd step in Steps to Reproduce: The second step is: 2. There is no mapping between JON roles and LDAP groups.
Although it looks easily, it would be too much of an effort to fix this little issue without completely changing the workflow used for logging in and using LDAP and subsequent registration. The logic in behind works as expected, there was no requirement to notify the user about the circumstances. Thus, I am closing this bug.
Re-opening this as this is a usability issue. The requirement does clearly state that upon first login attempt that the warning message indicating the user is not authorized be displayed.
I partially agree with Larry. JON3-39 says: "If he doesn't, JON blocks it redirecting the user back to the login page with a warn message (e.g.: "Your user account doesn't have permission to access JON"). If user does have the roles, just login him normally." The requirement is not as I understand to only show this on 1st login attempt only, so the existing workflow could stay, but would need to additionally print the message.
To be clear, what it does right now is: User without any role trying to login to JON where it is not allowed to login without a role is not allowed to login :) The information that is displayed in this case is "The username or password provided does not match our records." (i.e. standard wrong credentials message we dispaly). In JON3-39 Larry suggests displaying "Your user account doesn't have permission to access JON". This is the only difference, the message. During the developer demo, everyone were fine with that. I can look into that, but to me it doesn't worth the effort, because It would required some refactoring.
Perhaps some context has been left out. As for the message, the requirement is that an invalid login warning is displayed. The message itself was only a suggestion. After further discussion, it was decided that the invalid user/password -- standard login failure -- message is what we should display. The reason this BZ has be re-opened is due to the fact that the failure message MUST be displayed on every login attempt including the first one.
I missed the fact that there is not message during the very first attempt. Here is the fix: branch: master link: https://github.com/rhq-project/rhq/commit/adc7dabe5 time: 2014-10-17 18:07:14 +0200 commit: adc7dabe5caaf85c807d58ce0cbebd086106d33f author: Jirka Kremser - jkremser message: [BZ 1150586] - On first login attempt, LDAP user remains on login screen without any message when - Enable Login Without Roles=No and there is no mapping between JON roles and LDAP groups. - Displaying the generic error message for the first attemnt as well. Also disabling the login button, during the login procedure, because login using LDAP takes some time and we don't want users to click on the button invoking another checks.
branch: release/jon3.3.x link: https://github.com/rhq-project/rhq/commit/bc5515002 time: 2014-10-17 19:26:53 +0200 commit: bc55150027b8a7760e1984c65c581d94accba611 author: Jirka Kremser - jkremser message: [BZ 1150586] - On first login attempt, LDAP user remains on login screen without any message when - Enable Login Without Roles=No and there is no mapping between JON roles and LDAP groups. - Displaying the generic error message for the first attemnt as well. Also disabling the login button, during the login procedure, because login using LDAP takes some time and we don't want users to click on the button invoking another checks. (cherry picked from commit adc7dabe5caaf85c807d58ce0cbebd086106d33f) Signed-off-by: Jirka Kremser <jkremser>
Moving to ON_QA as available to test with the latest brew build: https://brewweb.devel.redhat.com//buildinfo?buildID=394734
Verified on Version :JON 3.3.0.ER05 Build Number : 92b6d6a:2cdb528 When Enable Login Without Roles = No and LDAP user is not mapped to any JON roles, in the first LDAP login attempt, UI displays the message "The username or password provided does not match our records. Please, fill in the fields again." Verified that Login button is disabled until the message is displayed in UI.