You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
After successful log-in to bpmn-explorer console you can use dashboard, task, monitoring and reports pages but when you select "Processes" menu item you are being logged-out. I tried to analyze this problem and it seems that session is not validated by cookie but it is only validated by Authorization http header in SOAP services used from JS scripts. For example selecting Processes menu item executes getBPMNProcessDiagram method in bpmn-explorer\assets\wsRequest.js script. This method uses "urn:getProcessDiagram" method in "/services/BPMNDeploymentService/" endpoint which subsequently use org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.isAuthenticated method and org.wso2.carbon.core.services.authentication.BasicAccessAuthenticator.canHandle to determine username. Last one checks only Authorization headers returns false. Cookie is not checked anywhere in this route nonetheless it is still provided from JS method as a separate parameter of requestBPS method.
Description:
After successful log-in to bpmn-explorer console you can use dashboard, task, monitoring and reports pages but when you select "Processes" menu item you are being logged-out. I tried to analyze this problem and it seems that session is not validated by cookie but it is only validated by Authorization http header in SOAP services used from JS scripts. For example selecting Processes menu item executes getBPMNProcessDiagram method in bpmn-explorer\assets\wsRequest.js script. This method uses "urn:getProcessDiagram" method in "/services/BPMNDeploymentService/" endpoint which subsequently use org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.isAuthenticated method and org.wso2.carbon.core.services.authentication.BasicAccessAuthenticator.canHandle to determine username. Last one checks only Authorization headers returns false. Cookie is not checked anywhere in this route nonetheless it is still provided from JS method as a separate parameter of requestBPS method.
Suggested Labels:
bpmn-explorer,ui,authorization,unauthorized
Suggested Assignees:
Affected Product Version:
EI 6.6.0
OS, DB, other environment details and versions:
Windows, Linux
Steps to reproduce:
Related Issues:
The text was updated successfully, but these errors were encountered: