Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-9651

Webapp is not accessible when an identity provider returns invalid group IDs for a user

    Details

      Description

      Scenario:

      • The identity provider (e.g. ldap) returns null group ids (this is not expected by the identity provider, but can happen due to problems in that system)

      Current behavior:

      • User authentication in the engine throws an exception and Cockpit is not usable

      Expected behavior:

      • Cockpit/engine should ignore invalid group ids and log a warning or error
      • It may then be that the user has less access permissions than expected, because not all groups have been resolved correctly
      • This is more graceful degradation of service

      Context:

        Activity

        thorben.lindhauer Thorben Lindhauer created issue -
        thorben.lindhauer Thorben Lindhauer made changes -
        Field Original Value New Value
        Description Scenario:

        * The identity provider (e.g. ldap) returns {{null}} group ids (this is not expected by the identity provider, but can happen due to problems in that system)

        Current behavior:

        * User authentication in the engine throws an exception and Cockpit is not usable

        Expected behavior:

        * Cockpit/engine should ignore invalid group ids and log a warning or error
        * It may then be that the user has less access permissions than expected, because not all groups have been resolved correctly

        Context:

        * Code in question: https://github.com/camunda/camunda-bpm-platform/blob/7.10.0/engine/src/main/java/org/camunda/bpm/engine/impl/IdentityServiceImpl.java#L199
        Scenario:

        * The identity provider (e.g. ldap) returns {{null}} group ids (this is not expected by the identity provider, but can happen due to problems in that system)

        Current behavior:

        * User authentication in the engine throws an exception and Cockpit is not usable

        Expected behavior:

        * Cockpit/engine should ignore invalid group ids and log a warning or error
        * It may then be that the user has less access permissions than expected, because not all groups have been resolved correctly
        * This is more graceful degradation of service

        Context:

        * Code in question: https://github.com/camunda/camunda-bpm-platform/blob/7.10.0/engine/src/main/java/org/camunda/bpm/engine/impl/IdentityServiceImpl.java#L199
        thorben.lindhauer Thorben Lindhauer made changes -
        Link This issue is depended on by SUPPORT-5288 [ SUPPORT-5288 ]
        thorben.lindhauer Thorben Lindhauer made changes -
        Remote Link This issue links to "Page (camunda confluence)" [ 12523 ]
        thorben.lindhauer Thorben Lindhauer made changes -
        Assignee Thorben Lindhauer [ thorben.lindhauer ]
        thorben.lindhauer Thorben Lindhauer made changes -
        Fix Version/s 7.11.0 [ 15343 ]
        Fix Version/s 7.10.2 [ 15351 ]
        Fix Version/s 7.9.9 [ 15352 ]
        thorben.lindhauer Thorben Lindhauer made changes -
        Labels SUPPORT
        thorben.lindhauer Thorben Lindhauer made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        thorben.lindhauer Thorben Lindhauer made changes -
        Status In Progress [ 3 ] Resolved [ 5 ]
        Original Estimate 0 minutes [ 0 ]
        Remaining Estimate 0 minutes [ 0 ]
        Assignee Thorben Lindhauer [ thorben.lindhauer ] Nikola Koevski [ nikola.koevski ]
        Resolution Fixed [ 1 ]
        nikola.koevski Nikola Koevski made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        thorben.lindhauer Thorben Lindhauer made changes -
        Fix Version/s 7.11.0-alpha1 [ 15370 ]
        thorben.lindhauer Thorben Lindhauer made changes -
        Remote Link This issue links to "Page (camunda confluence)" [ 12523 ]
        thorben.lindhauer Thorben Lindhauer made changes -
        Workflow camunda BPM [ 54504 ] Backup_camunda BPM [ 64201 ]

          People

          • Assignee:
            nikola.koevski Nikola Koevski
            Reporter:
            thorben.lindhauer Thorben Lindhauer
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development