Bug 1150586 - On first login attempt, LDAP user remains on login screen without any message when - Enable Login Without Roles=No and there is no mapping between JON roles and LDAP groups.
Summary: On first login attempt, LDAP user remains on login screen without any message...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Operations Network
Classification: JBoss
Component: UI, Security
Version: JON 3.3.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ER05
: JON 3.3.0
Assignee: Jirka Kremser
QA Contact: Sunil Kondkar
Jared MORGAN
URL:
Whiteboard:
Keywords: Reopened
Depends On:
Blocks: JON3-39
TreeView+ depends on / blocked
 
Reported: 2014-10-08 13:09 UTC by Sunil Kondkar
Modified: 2015-08-10 01:24 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-12-11 14:02:56 UTC


Attachments (Terms of Use)

Description Sunil Kondkar 2014-10-08 13:09:23 UTC
Description of problem:

When Enable Login Without Roles = No ( logins are not allowed for users not assigned to any role ) and LDAP user is not mapped to any JON roles, The LDAP user's first login to JON GUI refreshes the screen and user remains the login screen without any message.

User is registered to JON behind the screen on the first attempt but remains unknown about this.

( after this, if user logs in as rhqadmin , the LDAP user can be seen listed in Administration->Users list )

The second attempt to login shows the message in UI "The username or password provided does not match our records.
Please, fill in the fields again. " with below stack trace in server log:

ERROR [org.rhq.enterprise.gui.authentication.AuthenticateUserAction] (http-/0.0.0.0:7080-1) Could not log into the web application: org.rhq.enterprise.server.exception.LoginException: There are no preconfigured roles for user [vijay]

The second LDAP user login attempt provides the message to user, however, as there is no message to user on first attempt, there might be confusion as he remains on the login page without message.

Version-Release number of selected component (if applicable):

Version : 3.3.0.ER04
Build Number :	99d2107:d7c537e
LDAP : Windows server 2008 Active directory

How reproducible:

Always

Steps to Reproduce:

1. The system setting 'Enable Login Without Roles' in UI has value 'No'
2. There is mapping between JON roles and LDAP groups
3. Try to login as ldap user 'vijay'
4. The login screen refreshes, without any message.
5. Try second attempt of login with same user.
6. The second attempt to login shows the message in UI "The username or password provided does not match our records.
Please, fill in the fields again."

Actual results:

When Enable Login Without Roles = No and LDAP user is not mapped to any JON roles, in the first LDAP login attempt, there is no message to user and he remains on the login screen, and gets the message on second attempt. 

Expected results:

A message to LDAP user on first login attempt.

Additional info:

Comment 1 Sunil Kondkar 2014-10-08 14:13:43 UTC
sorry about the mistake in 2nd step in Steps to Reproduce:
The second step is:
2. There is no mapping between JON roles and LDAP groups.

Comment 2 Jirka Kremser 2014-10-08 15:13:19 UTC
Although it looks easily, it would be too much of an effort to fix this little issue without completely changing the workflow used for logging in and using LDAP and subsequent registration.

The logic in behind works as expected, there was no requirement to notify the user about the circumstances.

Thus, I am closing this bug.

Comment 3 Larry O'Leary 2014-10-17 01:24:49 UTC
Re-opening this as this is a usability issue. The requirement does clearly state that upon first login attempt that the warning message indicating the user is not authorized be displayed.

Comment 4 Heiko W. Rupp 2014-10-17 08:37:15 UTC
I partially agree with Larry. JON3-39 says:

"If he doesn't, JON blocks it redirecting the user back to the login page with a warn message (e.g.: "Your user account doesn't have permission to access JON"). If user does have the roles, just login him normally."

The requirement is not as I understand to only show this on 1st login attempt only, so the existing workflow could stay, but would need to additionally print the message.

Comment 5 Jirka Kremser 2014-10-17 10:28:55 UTC
To be clear, what it does right now is:

User without any role trying to login to JON where it is not allowed to login without a role is not allowed to login :)

The information that is displayed in this case is "The username or password provided does not match our records." (i.e. standard wrong credentials message we dispaly). In JON3-39 Larry suggests displaying "Your user account doesn't have permission to access JON". This is the only difference, the message.

During the developer demo, everyone were fine with that. I can look into that, but to me it doesn't worth the effort, because It would required some refactoring.

Comment 6 Larry O'Leary 2014-10-17 14:10:23 UTC
Perhaps some context has been left out. As for the message, the requirement is that an invalid login warning is displayed. The message itself was only a suggestion. After further discussion, it was decided that the invalid user/password -- standard login failure -- message is what we should display.

The reason this BZ has be re-opened is due to the fact that the failure message MUST be displayed on every login attempt including the first one.

Comment 7 Jirka Kremser 2014-10-17 16:10:06 UTC
I missed the fact that there is not message during the very first attempt. Here is the fix:

branch:  master
link:    https://github.com/rhq-project/rhq/commit/adc7dabe5
time:    2014-10-17 18:07:14 +0200
commit:  adc7dabe5caaf85c807d58ce0cbebd086106d33f
author:  Jirka Kremser - jkremser@redhat.com
message: [BZ 1150586] - On first login attempt, LDAP user remains on login screen
         without any message when - Enable Login Without Roles=No and
         there is no mapping between JON roles and LDAP groups. -
         Displaying the generic error message for the first attemnt as
         well. Also disabling the login button, during the login
         procedure, because login using LDAP takes some time and we
         don't want users to click on the button invoking another
         checks.

Comment 8 Jirka Kremser 2014-10-17 17:35:44 UTC
branch:  release/jon3.3.x
link:    https://github.com/rhq-project/rhq/commit/bc5515002
time:    2014-10-17 19:26:53 +0200
commit:  bc55150027b8a7760e1984c65c581d94accba611
author:  Jirka Kremser - jkremser@redhat.com
message: [BZ 1150586] - On first login attempt, LDAP user remains on login screen
         without any message when - Enable Login Without Roles=No and
         there is no mapping between JON roles and LDAP groups. -
         Displaying the generic error message for the first attemnt as
         well. Also disabling the login button, during the login
         procedure, because login using LDAP takes some time and we
         don't want users to click on the button invoking another
         checks.

         (cherry picked from commit
         adc7dabe5caaf85c807d58ce0cbebd086106d33f) Signed-off-by: Jirka
         Kremser <jkremser@redhat.com>

Comment 9 Simeon Pinder 2014-10-21 20:24:04 UTC
Moving to ON_QA as available to test with the latest brew build:
https://brewweb.devel.redhat.com//buildinfo?buildID=394734

Comment 10 Sunil Kondkar 2014-10-27 10:54:42 UTC
Verified on Version :JON 3.3.0.ER05 Build Number : 92b6d6a:2cdb528

When Enable Login Without Roles = No and LDAP user is not mapped to any JON roles, in the first LDAP login attempt, UI displays the message "The username or password provided does not match our records. Please, fill in the fields again." Verified that Login button is disabled until the message is displayed in UI.


Note You need to log in before you can comment on or make changes to this bug.