Fixed. The solution consists of "logout" the non authorized session created by the app server on an authenticated user who has not the required roles. (master) https://github.com/droolsjbpm/dashboard-builder/commit/a76e005119aca968a770651e6e290fb0e7402510 (6.2.x) https://github.com/droolsjbpm/dashboard-builder/commit/3d1dec304a0c41764396fd5c54f53bc27436b4a1
given the comment above I am setting this BZ as MODIFIED
I did some preliminary testing with with EAP 6.4 and tomcat and it's working fine (no more redirect loops). Will test with other containers when we'll have received this fix in the next rollup patch.
I tested this with all containers we certify 6.1.1 against. The redirect issue has been resolved for the following containers: EAP 6.4 EWS 2 (tomcat 7) EWS 3 (tomcat 8) Oracle WebLogic However, the fix is NOT working on IBM Web Sphere. The behavior is as follows: after entering the problematic user credentials (= correct username & password, but user doesn't have any of the 5 predefined business central roles, he only has some unrelated role) instead of login error page (which we want) the following stacktrace appears (full stacktrace in attachment). The problem is that after user reloads the page with URL like: <hostname>:9080/dashbuilder, This stacktrace remains remains displayed and login page is not reloaded. However it can be worked around by typing <hostname>:9080/dashbuilder/login.jsp as URL to make the login page appear again. ----------- Error Page Exception SRVE0260E: The server cannot use the error page specified for your application to handle the Original Exception printed below. Original Exception: Error Message: com.ibm.ws.security.web.WebSecurityException: AuthorizationFailed Error Code: 403 Target Servlet: Error Stack: com.ibm.ws.security.web.WebSecurityException: AuthorizationFailed at com.ibm.ws.security.web.EJSWebCollaborator.preInvoke(EJSWebCollaborator.java:438) at com.ibm.ws.webcontainer.collaborator.WebAppSecurityCollaboratorImpl.preInvoke(WebAppSecurityCollaboratorImpl.java:230) at com.ibm.wsspi.webcontainer.collaborator.CollaboratorHelper.preInvokeCollaborators(CollaboratorHelper.java:432)
Created attachment 1028771 [details] Error after entering problematic credentials on webSphere
The good news is that the DV product is based on EAP. The current fix should be fair enough. The other thing is that on WebSphere, as far as I know, there is no known solution. If the user does not have any of the allowed roles then the security manager will complain with that error message. I do believe, the only thing we can do is to document this corner case in the product documentation.
Vikram - can you please put a note to the documentation? Thx!
Vikram, the issue itself is fixed and verified on 6.1.1. The fix has one one limitation thought and that is described by David in comment #8. That's what I would like to ask you to document. Can we put a note somewhere into documentation and remove this BZ from the known list? Thank you.
Marek, could this be set as VERIFIED ?
Alessandro - Yes - moving to VERIFIED.