Red Hat Bugzilla – Bug 815838
No explanation when user cannot log in due to missing role
Last modified: 2012-05-16 19:46:14 EDT
Description of problem:
If I use wrong credentials to log into jBPM console, the login dialog displays a red error message saying "Authentication failed. Please try again:". However, if I don't have the role required to access the console, no error explaining why I cannot log in is displayed.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. set up a user (user:password) with no roles assigned (gwt-console-server component requires administrator, manager or user roles by default)
2. access jbpm-console and use correct credentials (user:password) to log in
No response. The login dialog does not change (you cannot log in) but no error description is displayed.
An error description should be presented to the user to let him know why the login attempt was unsuccessful (something like "You have successfully authenticated but you don't have sufficient privilege to access this console. Please, contact the administrator.").
Due to security reasons we should not display to the user why logon failed but instead we could make a server log entry with suggested message to be able to trace that for administrator.
Will that be enough?
This is not a security issue. I'm a legal user with valid credentials, but still I cannot log in. The response should explain that
1) my credentials are OK so that I know there is no typo and no need to retry (I have successfully authenticated)
2) I'm just not allowed to enter (someone hasn't granted me the required privilege = I'm not authorized)
Giving this information doesn't pose any security concerns in my opinion.
pull request available at: https://github.com/bpmc/bpm-console/pull/18
shall this be merged into both master and 2.3.x?
(In reply to comment #3)
> pull request available at: https://github.com/bpmc/bpm-console/pull/18
> shall this be merged into both master and 2.3.x?
On master, definitely. 2.3.x is unsure, as the blocker status is still undecided.
This is a bad user experience. Since the issue is already resolved, lets pull it into the build.
merged into master and 2.3.x
The fixed for this issue should be included in ER7. Please do verification on it.
Fix verified in ER7.