Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse Scout » Thrown VetoException not visible from Login form(A thrown VetoException is not visible from the login form)
Thrown VetoException not visible from Login form [message #1860547] Tue, 15 August 2023 09:17 Go to next message
J D is currently offline J DFriend
Messages: 102
Registered: February 2021
Senior Member
Hello everyone,

In my abridged custom CredentialVerifier shown below, I test for empty password and wrong password length. I want to throw a VetoException visible to the user when username or password is empty or password is not the right length.

public class RestCredentialVerifier implements ICredentialVerifier {
  private static final Logger LOG = LoggerFactory.getLogger(RestCredentialVerifier.class);

  @Override
  public int verify(String username, char[] passwordPlainText) throws IOException {

    // Test for missing username or password
    if (StringUtility.isNullOrEmpty(username) || passwordPlainText == null
        || passwordPlainText.length == 0) {
      LOG.warn(TEXTS.get("MissingUsernameOrPassword"));
      throw new VetoException(TEXTS.get("MissingUsernameOrPassword")).withSeverity(IStatus.WARNING);
    }

    // Test for non-conforming password
    // Password MUST have between 8 to 20 characters with a minimum of one uppercase, one lowercase,
    // one number, one special character and without spaces
    if ((passwordPlainText.length < 8) || (passwordPlainText.length > 20)) {
      LOG.warn(TEXTS.get("ThePasswordMustHaveBetween820Characters"));
      throw new VetoException(TEXTS.get("ThePasswordMustHaveBetween820Characters")).withSeverity(IStatus.WARNING);
    }

    if (passwordInvalid(String.valueOf(passwordPlainText))) {
      LOG.warn(TEXTS.get("PasswordCompositionRuleWarning"));
      throw new VetoException(TEXTS.get("PasswordCompositionRuleWarning")).withSeverity(IStatus.WARNING);
    }

    // .... more code here

    return result;
  }
}


However, when I try this all I see is the login button turning red with a message saying login has failed and my VetoException message is NEVER displayed.

My understanding of a VetoException is that it is thrown server-side and is visible client side.
https://eclipsescout.github.io/scout-docs/23.1/technical-guide/common-concepts/exception-handling.html#vetoexception

How do I make the VetoException visible? If this is not possible, how do I display the exception message to the user?

Thanks a million for your kind assistance.

JD

[Updated on: Tue, 15 August 2023 09:18]

Report message to a moderator

Re: Thrown VetoException not visible from Login form [message #1860564 is a reply to message #1860547] Thu, 17 August 2023 09:21 Go to previous messageGo to next message
Stephan Merkli is currently offline Stephan MerkliFriend
Messages: 48
Registered: April 2012
Member
Hi JD

Your understanding of a VetoException is correct regarding client server interaction via service tunnel. The text of a veto exception thrown on the server (backend) is displayed to the user in the client (ui).

The login box doesn't involve the service tunnel and thus behaves differently, the login box only knows one error message, see LoginBox._onPostFailImpl (ui.LoginFailed). It's not recommended to display detailed information to a user why a login failed. A credential verifier is only required to check if the username/password combination is valid, there is no need to apply other verifications such as password length checks.

If you're using the login box to register new users (as your code might suggest), I'd recommend to create an own box for that, with using own REST services to create such a user. The usage of a credential verifier for this use case is not recommended/doesn't work.

Regards
Stephan
Re: Thrown VetoException not visible from Login form [message #1860570 is a reply to message #1860564] Thu, 17 August 2023 16:40 Go to previous messageGo to next message
J D is currently offline J DFriend
Messages: 102
Registered: February 2021
Senior Member
Stephan Merkli wrote on Thu, 17 August 2023 09:21
Hi JD
The login box doesn't involve the service tunnel and thus behaves differently, the login box only knows one error message, see LoginBox._onPostFailImpl (ui.LoginFailed). It's not recommended to display detailed information to a user why a login failed. A credential verifier is only required to check if the username/password combination is valid, there is no need to apply other verifications such as password length checks.

If you're using the login box to register new users (as your code might suggest), I'd recommend to create an own box for that, with using own REST services to create such a user. The usage of a credential verifier for this use case is not recommended/doesn't work.

Regards
Stephan


Hi Stephan,

Thanks a lot for your clarifications. In my application model, users and their roles are created by someone with administration rights inside the app, in the same way that Contacts are created in the Eclipse Scout sample contacts app.

However, users are required to create their passwords on first login, and that is why I have password checks in my credential verifier.

I have two questions to ask:

1) is it possible to show the exception message as a line of text on the Login box under the button OR as the caption of the button when it turns red when login has failed?

2) if the former is not possible, I would assume from your response that I'll need to create my own login box. How do I do it, and how do I integrate it into the app so that it is the entrypoint of the app? Would a simple HTML login be enough, or must I add some JavaScript to it?

Thanks a lot for your kind assistance.

JD


Re: Thrown VetoException not visible from Login form [message #1860581 is a reply to message #1860570] Fri, 18 August 2023 08:56 Go to previous messageGo to next message
Stephan Merkli is currently offline Stephan MerkliFriend
Messages: 48
Registered: April 2012
Member
Hi JD

1) Should be possible, but requires some engineering
2) I'd recommend that way (still requires some effort)

If an administrator creates a new user, I assume this new user somehow gets an email with a specific link for this user to set his password? Because if not, and by using just the login box, anyone could set a password by just entering the correct username and any password (valid according to the password policy) in the meantime.

So, for your scenario I would expect something like this:
- Receive an email (or any other form of communication) with a dedicated link pointing to the reset password page (including a token, e.g. https://example.org/reset-password.html?token=6682141c-20b2-45d8-8737-11800ff7c02f)
- Link presents a form with two password fields to reset password (no real need to enter username here, because identified via token)
- Form submit will call a REST service that verifies if the given token is valid (and determines the username), checks the password against the password policy and either returns an error message or updates the password for the user.
- After receiving response from REST service, form will either show the error to the user or redirect to login page if password was set successfully

The own page to reset the password (e.g. reset-password.html) can either just be plain HTML (maybe easier) or similar to login.html, login.js and LoginBox.ts. The URL path to the REST service needs to be excluded in web.xml because otherwise authentication is required.

I've not tried this approach, just my thoughts on that. Good luck :-)

Regards
Stephan

[Updated on: Fri, 18 August 2023 08:56]

Report message to a moderator

Re: Thrown VetoException not visible from Login form [message #1860735 is a reply to message #1860581] Wed, 30 August 2023 13:59 Go to previous messageGo to next message
J D is currently offline J DFriend
Messages: 102
Registered: February 2021
Senior Member
Hi there Stephan,

Thanks a lot for your response, and above all for the ideas you suggested.

I spent a lot of time looking through old forum posts to see if somebody had a use case similar to mine in the past.

The closest I could find was this one: Registration Form: https://www.eclipse.org/forums/index.php/m/1810382/?srch=registration+form#msg_1810382
Unfortunately, it did not lead to the conclusion I hoped., a working example. ;o) I also do not understand the first option in that response i.e the use of a "deep link" URL accessible to anonymous users for registration.

After going through all the blog posts asking for help/information about a custom login form and considering your replies, I've come to the following conclusions:

1) it may be better to leave the Scout application and its credential verification process as is

2) build a separate application to handle registration, password validation and resets, accessible via its own URL which is sent to users via email like you suggested

Any further thoughts on your part?

Cheers,

JD
Re: Thrown VetoException not visible from Login form [message #1860747 is a reply to message #1860735] Thu, 31 August 2023 11:57 Go to previous message
Stephan Merkli is currently offline Stephan MerkliFriend
Messages: 48
Registered: April 2012
Member
Hi JD

You could build a completely different application for this purpose (i.e. not with Scout, but writing the new password to the same database/service your Scout application uses for verification), I'd still integrate that directly into your Scout application as mentioned in my previous response. That way you have like a mini plain HTML (with/without JS) or Scout JS application providing the passwort reset functionality, while leaving the credential verification process as it is (that's more or less option 3 as mentioned by André in the post you linked).

Regards
Stephan
Previous Topic:Extension Error
Next Topic:Hyperlink in docx4j
Goto Forum:
  


Current Time: Tue Oct 08 18:27:56 GMT 2024

Powered by FUDForum. Page generated in 0.07820 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top