This repository was archived by the owner on Feb 12, 2023. It is now read-only.
This repository was archived by the owner on Feb 12, 2023. It is now read-only.
User without a password cause a 500 when authenticating #472
Description
Software and hardware versions
Ubuntu 18.04 x64 on DigitalOcean, Aggregate v2.0.3, Java OpenJDK 1.8.0_212
Problem description
Trying to authenticate as a user that hasn't had a password set for them results in a 500 error.
This actually shows to the user in Collect as a 500 but Briefcase shows the standard "incorrect credentials" error.
Steps to reproduce the problem
I found this playing around in Collect but the easiest way to reproduce is:
- Log in as an Admin to Aggregate on the web
- Add a new user with just a username - do not set a password
- Log out
- Log back in as your new user
You'll see a 500 error page.
Expected behavior
Could go a few of ways on this:
- Aggregate accepts blank password users and so either ignores the submitted password or matches "". Not sure that's a great idea.
- Aggregate doesn't allow the user to create a user without a password - it looks like this would require a slightly different user creation flow.
- Aggregate sends a different error back in this case so the user knows they have not been setup correctly.
Other information
Here's the stack trace:
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: User test does not have a password configured. You must close and re-open your browser to clear this error.
org.opendatakit.common.security.spring.UserDetailsServiceImpl.loadUserByUsername(UserDetailsServiceImpl.java:172)
org.springframework.security.web.authentication.www.DigestAuthenticationFilter.doFilter(DigestAuthenticationFilter.java:159)
org.opendatakit.common.security.spring.DigestAuthenticationFilter.doFilter(DigestAuthenticationFilter.java:37)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.opendatakit.common.security.spring.OutOfBandUserFilter.doFilter(OutOfBandUserFilter.java:102)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.opendatakit.common.security.spring.Oauth2ResourceFilter.doFilter(Oauth2ResourceFilter.java:344)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:157)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)And a screenshot:
