Bug 815838 - No explanation when user cannot log in due to missing role
No explanation when user cannot log in due to missing role
Status: VERIFIED
Product: JBoss Enterprise BRMS Platform 5
Classification: JBoss
Component: jBPM Console (Show other bugs)
BRMS 5.3.0.GA
Unspecified Unspecified
unspecified Severity medium
: ER7
: ---
Assigned To: Maciej Swiderski
Jiri Locker
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-24 11:58 EDT by Jiri Locker
Modified: 2012-05-16 19:46 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jiri Locker 2012-04-24 11:58:43 EDT
Description of problem:
If I use wrong credentials to log into jBPM console, the login dialog displays a red error message saying "Authentication failed. Please try again:". However, if I don't have the role required to access the console, no error explaining why I cannot log in is displayed.

Version-Release number of selected component (if applicable):
ER6

How reproducible:
always

Steps to Reproduce:
1. set up a user (user:password) with no roles assigned (gwt-console-server component requires administrator, manager or user roles by default)
2. access jbpm-console and use correct credentials (user:password) to log in
  
Actual results:
No response. The login dialog does not change (you cannot log in) but no error description is displayed.

Expected results:
An error description should be presented to the user to let him know why the login attempt was unsuccessful (something like "You have successfully authenticated but you don't have sufficient privilege to access this console. Please, contact the administrator.").

Additional info:
Comment 1 Maciej Swiderski 2012-04-24 12:45:15 EDT
Due to security reasons we should not display to the user why logon failed but instead we could make a server log entry with suggested message to be able to trace that for administrator.

Will that be enough?
Comment 2 Jiri Locker 2012-04-24 13:18:36 EDT
This is not a security issue. I'm a legal user with valid credentials, but still I cannot log in. The response should explain that

1) my credentials are OK so that I know there is no typo and no need to retry (I have successfully authenticated)
2) I'm just not allowed to enter (someone hasn't granted me the required privilege = I'm not authorized)

Giving this information doesn't pose any security concerns in my opinion.
Comment 3 Maciej Swiderski 2012-04-25 10:12:14 EDT
pull request available at: https://github.com/bpmc/bpm-console/pull/18

shall this be merged into both master and 2.3.x?
Comment 4 Lukáš Petrovický 2012-04-25 10:28:27 EDT
(In reply to comment #3)
> pull request available at: https://github.com/bpmc/bpm-console/pull/18
> 
> shall this be merged into both master and 2.3.x?

On master, definitely. 2.3.x is unsure, as the blocker status is still undecided.
Comment 5 Prakash Aradhya 2012-04-30 12:12:27 EDT
This is a bad user experience.  Since the issue is already resolved, lets pull it into the build.
Comment 6 Maciej Swiderski 2012-05-01 11:59:14 EDT
merged into master and 2.3.x
Comment 7 Ryan Zhang 2012-05-14 04:16:26 EDT
The fixed for this issue should be included in ER7. Please do verification on it.
Comment 8 Jiri Locker 2012-05-15 07:34:15 EDT
Fix verified in ER7.

Note You need to log in before you can comment on or make changes to this bug.