Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update login form display strategy #669

Merged
merged 2 commits into from
Feb 9, 2024
Merged

Conversation

Sae126V
Copy link
Contributor

@Sae126V Sae126V commented Nov 9, 2023

Prevents access to the login form.

Need to prevent access to the login form when admin has decided to disable(Set to false) both localAuthenticationVisible and showLinkToLocalAuthn.

Copy link
Contributor

@rmiccoli rmiccoli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Sae126V
Copy link
Contributor Author

Sae126V commented Nov 9, 2023

Hi, I think the behaviour is already like that, isn't it? See https://github.com/indigo-iam/iam/blob/develop/iam-login-service/src/main/webapp/WEB-INF/views/iam/login.jsp#L76.

Say, When Admin has set loginPageMode to Hidden (Might Happen edge case: Users who know the route link will still be able to access the login form even though admin doesn't want users to enter credentials to login). Does that make sense?

@rmiccoli
Copy link
Contributor

rmiccoli commented Nov 9, 2023

Hi, I think the behaviour is already like that, isn't it? See https://github.com/indigo-iam/iam/blob/develop/iam-login-service/src/main/webapp/WEB-INF/views/iam/login.jsp#L76.

Say, When Admin has set loginPageMode to Hidden (Might Happen edge case: Users who know the route link will still be able to access the login form even though admin doesn't want users to enter credentials to login). Does that make sense?

Ok, clear now. Yes, it makes sense to me.

@Sae126V Sae126V force-pushed the restrict-access-to-login-form branch from f192d11 to 2247a1c Compare November 10, 2023 13:58
Copy link
Contributor

@rmiccoli rmiccoli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-thinking about this issue, the 'HIDDEN case' is already used in production and we don't want to break it. Then, you can add another property, such as DISABLED to reproduce your behavior.

@Sae126V
Copy link
Contributor Author

Sae126V commented Nov 17, 2023

No worries. I thought the DISABLED Case is same as HIDDEN. If it is make no sense. I am happy to close this PR :)

@enricovianello
Copy link
Member

Prevents access to the login form.

Need to prevent access to the login form when admin has decided to disable(Set to false) both localAuthenticationVisible and showLinkToLocalAuthn.

My only comment is that I'd change the "title" of this PR/fix. We're not preventing access, we're changing (in a correct way) the logic that hides a form. The login endpoint still login you if you present your right credentials (through a curl e.g.). Then, I'll update the PR title in order to be more clear about this. Something like "Update login form display strategy" e.g.

@Sae126V Sae126V changed the title Prevent unauthorized access to the users Update login form display strategy Dec 1, 2023
Copy link

sonarqubecloud bot commented Dec 1, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@federicaagostini
Copy link
Contributor

LGTM

@federicaagostini federicaagostini removed their request for review February 8, 2024 16:15
Copy link

sonarqubecloud bot commented Feb 8, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@rmiccoli
Copy link
Contributor

rmiccoli commented Feb 8, 2024

Hi @Sae126V,

we were reviewing your PR that is fine.
Currently, by setting the following properties:

  • IAM_LOCAL_AUTHN_LOGIN_PAGE_VISIBILITY = hidden
  • IAM_LOCAL_AUTHN_ENABLED_FOR = none

The local authentication is still shown by adding sll=y parameter, but the functionality is disabled (see the attached screenshot).
Screenshot from 2024-02-08 17-50-51

Let's decide together which behavior is preferred.

@rmiccoli rmiccoli merged commit 0d02aa0 into develop Feb 9, 2024
4 checks passed
@rmiccoli rmiccoli deleted the restrict-access-to-login-form branch February 9, 2024 14:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
No open projects
Status: Done
Development

Successfully merging this pull request may close these issues.

4 participants