Home » Eclipse Projects » Eclipse Scout » Thrown VetoException not visible from Login form(A thrown VetoException is not visible from the login form)
Thrown VetoException not visible from Login form [message #1860547] |
Tue, 15 August 2023 09:17 |
J D Messages: 102 Registered: February 2021 |
Senior Member |
|
|
Hello everyone,
In my abridged custom CredentialVerifier shown below, I test for empty password and wrong password length. I want to throw a VetoException visible to the user when username or password is empty or password is not the right length.
public class RestCredentialVerifier implements ICredentialVerifier {
private static final Logger LOG = LoggerFactory.getLogger(RestCredentialVerifier.class);
@Override
public int verify(String username, char[] passwordPlainText) throws IOException {
// Test for missing username or password
if (StringUtility.isNullOrEmpty(username) || passwordPlainText == null
|| passwordPlainText.length == 0) {
LOG.warn(TEXTS.get("MissingUsernameOrPassword"));
throw new VetoException(TEXTS.get("MissingUsernameOrPassword")).withSeverity(IStatus.WARNING);
}
// Test for non-conforming password
// Password MUST have between 8 to 20 characters with a minimum of one uppercase, one lowercase,
// one number, one special character and without spaces
if ((passwordPlainText.length < 8) || (passwordPlainText.length > 20)) {
LOG.warn(TEXTS.get("ThePasswordMustHaveBetween820Characters"));
throw new VetoException(TEXTS.get("ThePasswordMustHaveBetween820Characters")).withSeverity(IStatus.WARNING);
}
if (passwordInvalid(String.valueOf(passwordPlainText))) {
LOG.warn(TEXTS.get("PasswordCompositionRuleWarning"));
throw new VetoException(TEXTS.get("PasswordCompositionRuleWarning")).withSeverity(IStatus.WARNING);
}
// .... more code here
return result;
}
}
However, when I try this all I see is the login button turning red with a message saying login has failed and my VetoException message is NEVER displayed.
My understanding of a VetoException is that it is thrown server-side and is visible client side.
https://eclipsescout.github.io/scout-docs/23.1/technical-guide/common-concepts/exception-handling.html#vetoexception
How do I make the VetoException visible? If this is not possible, how do I display the exception message to the user?
Thanks a million for your kind assistance.
JD
[Updated on: Tue, 15 August 2023 09:18] Report message to a moderator
|
|
| |
Re: Thrown VetoException not visible from Login form [message #1860570 is a reply to message #1860564] |
Thu, 17 August 2023 16:40 |
J D Messages: 102 Registered: February 2021 |
Senior Member |
|
|
Stephan Merkli wrote on Thu, 17 August 2023 09:21Hi JD
The login box doesn't involve the service tunnel and thus behaves differently, the login box only knows one error message, see LoginBox._onPostFailImpl (ui.LoginFailed). It's not recommended to display detailed information to a user why a login failed. A credential verifier is only required to check if the username/password combination is valid, there is no need to apply other verifications such as password length checks.
If you're using the login box to register new users (as your code might suggest), I'd recommend to create an own box for that, with using own REST services to create such a user. The usage of a credential verifier for this use case is not recommended/doesn't work.
Regards
Stephan
Hi Stephan,
Thanks a lot for your clarifications. In my application model, users and their roles are created by someone with administration rights inside the app, in the same way that Contacts are created in the Eclipse Scout sample contacts app.
However, users are required to create their passwords on first login, and that is why I have password checks in my credential verifier.
I have two questions to ask:
1) is it possible to show the exception message as a line of text on the Login box under the button OR as the caption of the button when it turns red when login has failed?
2) if the former is not possible, I would assume from your response that I'll need to create my own login box. How do I do it, and how do I integrate it into the app so that it is the entrypoint of the app? Would a simple HTML login be enough, or must I add some JavaScript to it?
Thanks a lot for your kind assistance.
JD
|
|
|
Re: Thrown VetoException not visible from Login form [message #1860581 is a reply to message #1860570] |
Fri, 18 August 2023 08:56 |
Stephan Merkli Messages: 48 Registered: April 2012 |
Member |
|
|
Hi JD
1) Should be possible, but requires some engineering
2) I'd recommend that way (still requires some effort)
If an administrator creates a new user, I assume this new user somehow gets an email with a specific link for this user to set his password? Because if not, and by using just the login box, anyone could set a password by just entering the correct username and any password (valid according to the password policy) in the meantime.
So, for your scenario I would expect something like this:
- Receive an email (or any other form of communication) with a dedicated link pointing to the reset password page (including a token, e.g. https://example.org/reset-password.html?token=6682141c-20b2-45d8-8737-11800ff7c02f)
- Link presents a form with two password fields to reset password (no real need to enter username here, because identified via token)
- Form submit will call a REST service that verifies if the given token is valid (and determines the username), checks the password against the password policy and either returns an error message or updates the password for the user.
- After receiving response from REST service, form will either show the error to the user or redirect to login page if password was set successfully
The own page to reset the password (e.g. reset-password.html) can either just be plain HTML (maybe easier) or similar to login.html, login.js and LoginBox.ts. The URL path to the REST service needs to be excluded in web.xml because otherwise authentication is required.
I've not tried this approach, just my thoughts on that. Good luck :-)
Regards
Stephan
[Updated on: Fri, 18 August 2023 08:56] Report message to a moderator
|
|
| | |
Goto Forum:
Current Time: Tue Oct 08 18:27:56 GMT 2024
Powered by FUDForum. Page generated in 0.07820 seconds
|