kirby zhou created RANGER-3679:
----------------------------------
Summary: Login Failure message broken with some locales.
Key: RANGER-3679
URL: https://issues.apache.org/jira/browse/RANGER-3679
Project: Ranger
Issue Type: Bug
Components: admin
Affects Versions: 3.0.0, 2.3.0
Reporter: kirby zhou
Attachments: 截屏2022-03-21 12.07.03.jpg
If server locale is not english, sometimes WebUI will lost login failure
message. login.jsp post a AJAX request to /login, but just returns 401 with
payload '\{"statusCode":0}' . Result in only one red triangle can be seen
without any text message.
The problem is in RangerAuthFailureHandler.java, it compares
exception.getMessage() to CLIUtil.getMessage(...) for filling
vXResponse.setMsgDesc(...)
{code:java}
String msg = exception.getMessage();
VXResponse vXResponse = new VXResponse();
if (msg != null && !msg.isEmpty()) {
if
(CLIUtil.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials",request).equalsIgnoreCase(msg))
{
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
vXResponse.setMsgDesc("The username or password you entered is incorrect.");
logger.info("Error Message : " + msg);
} else if (msg.contains("Could not get JDBC Connection; nested exception is
java.sql.SQLException: Connections could not be acquired from the underlying
database!")) {
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
vXResponse.setMsgDesc("Unable to connect to DB.");
} else if (msg.contains("Communications link failure")) {
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
vXResponse.setMsgDesc("Unable to connect to DB.");
} else if
(CLIUtil.getMessage("AbstractUserDetailsAuthenticationProvider.disabled",request).equalsIgnoreCase(msg))
{
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
vXResponse.setMsgDesc("The username or password you entered is
disabled.");
}
}
jsonResp = jsonUtil.writeObjectAsString(vXResponse);
response.getWriter().write(jsonResp);
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);{code}
There are some problems:
* Localized messages are not unified.
When BadCredentialsException happens with Chinese locale, CLIUtil.getMessage
returns localized messages "坏的凭据" from
security-admin/src/main/resources/internationalization/messages_zh_CN.properties,
but msg is "用户名或密码错误" from
org/springframework/security/messages_zh_CN.properties, which are the same
meaning but different expression.
Please review why we use "CLIUtil.getMessage" here to get locale message? And
why we provide an alternative locale message definitions beside spring?
* Compare localized messages with non-localized messages.
When LockeException happens, CLIUtil.getMessage returns "用户帐号已被锁定", but msg is
"User account is locked".
Because if a exception is thrown by spring class, it is often localized, but it
is often non-localized when thrown by ranger in
RangerAuthenticationProvider.java.
{code:java}
% grep -n 'new.*Exception' RangerAuthenticationProvider.java
152: throw new LockedException(String.format("User
account %s is locked", authentication.getName()));
638: throw new BadCredentialsException("Bad
credentials");
650: throw new BadCredentialsException("Bad credentials", t);
{code}
* If a message not hit any branch of 'if...', no message will return to user.
Related: RANGER-3672
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
