[jira] [Commented] (QPID-7062) Poor logout experience when using Oauth2 authentication mechanism for management

Fri, 12 Feb 2016 08:29:39 -0800 

    [ 
https://issues.apache.org/jira/browse/QPID-7062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15144802#comment-15144802
 ] 

Keith Wall commented on QPID-7062:
----------------------------------

Changes committed under QPID-7028.

With regard to 'hiding' the login.html page when non-username/password 
authenticates are in use, I think dispatcher forwards offer a neat why to 
achieve this.  If the Http Management module was a traditional web-app (rather 
using Jetty's API to programatically build the webapp), the login.html and 
logout.html pages could be moved beneath WEB-INF so they are inaccessible to 
client requests.  The UsernamePasswordInteractiveLogin would then dispatcher 
forward to these resources, rather than client side redirect.    As we are 
planning to move the webapp to use web fragments soon, I think this work can be 
deferred.

> Poor logout experience when using Oauth2 authentication mechanism for 
> management
> --------------------------------------------------------------------------------
>
>                 Key: QPID-7062
>                 URL: https://issues.apache.org/jira/browse/QPID-7062
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>            Reporter: Keith Wall
>
> If I configure OAuth2 and use a provider such as CloudFoundry, when I go to 
> logout of the Qpid Web Management Console I get caught in a loop, giving the 
> impression that the logout function is broken and leaving no means of escape 
> without closing the window/tab or typing an address.
> # The logout button directs the browser to /logout.
> # Web Management invalidates the Session
> # Redirects to /management (odd - this should have been retired)
> # Oauth2InteractiveAuthenticator redirects to the auethenticate endpoint 
> (CloudFoundry)
> # CloudFoundry redirect back to the Web Management Console starting a new 
> session.
> The experience is similar in Google except I see Google's "Request for 
> permission" page after logout before the loop starts again.
> Perhaps the LogoutServlet should ask the HttpRequestInteractiveAuthenticators 
> for a logout link?  In the case of Oauth2, the plugin could then provide a 
> configurable link.
> I also notice that when using OAuth2, the /login page is still live, but 
> completely redundant/confusing.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to