[prev in list] [next in list] [prev in thread] [next in thread]
List: esb-java-dev
Subject: Re: [Dev] [IS-5.3.0] User experience for self signed-up users in dashboard app in a default pack
From: Isura Karunaratne <isura () wso2 ! com>
Date: 2016-10-27 17:06:56
Message-ID: CAO6_PMk4Pyju9239sEbn=22MK-qaAWHf7JXK7R0yhttFJH--jg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
login permission is required for following gadgets
- Update user profile : It uses UserProfileMgtService
- Setting security questions : It uses UserIdentityManagementAdminService
- Change password : It uses UserIdentityManagementAdminService
- Account association
- Authorized Apps
- Pending approvals (This is required some additional permission too)
As you mentioned, we can remove authorization check in most of these
gadgets.
so, +1 to remove the login permission requirement from user portal. I
will be good for user experience.
Thanks
Isura.
*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: isura@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
On Thu, Oct 27, 2016 at 10:30 AM, Johann Nallathamby <johann@wso2.com>
wrote:
> Hi Isura,
>
> Why do we need "login" permission for user portal? Only workflow approvals
> and user session termination we need some specific permissions. Shall we
> remove the requirement to have "login" permission to login to the user
> portal? I guess removing it from the portal might not be enough. Services
> such as user profile, account association, authorized apps also may need to
> be modified to check only for authentication.
>
> Wdyt?
>
> On Thu, Oct 27, 2016 at 8:50 PM, Ayesha Dissanayaka <ayesha@wso2.com>
> wrote:
>
>>
>> On Thu, Oct 27, 2016 at 6:56 PM, Johann Nallathamby <johann@wso2.com>
>> wrote:
>>
>>> Why do we need to have login permission for "selfsignup" role. We don't
>>> need to. "login" permission is to login to management console. We don't
>>> expect self signup users to login to management console. They can only
>>> login to dashboard, and for that we should not need "login" permission. Can
>>> you check if dashboard functions without "login" permission.
>>
>>
>> I tested removing 'login' permission from the "selfsignup" role and user
>> is unable to login to dashboard app without 'login' permission.
>>
>> With below logs in console,
>> [2016-10-27 20:47:17,346] ERROR {org.wso2.carbon.identity.auth
>> enticator.saml2.sso.SAML2SSOAuthenticator} - Authentication Request is
>> rejected. Authorization Failure.
>> [2016-10-27 20:47:17,347] WARN {org.wso2.carbon.core.services
>> .util.CarbonAuthenticationUtil} - Failed Administrator login attempt
>> 'Ayesha[-1234]' at [2016-10-27 20:47:17,347+0530]
>>
>>
>>
>> --
>> *Ayesha Dissanayaka*
>> Software Engineer,
>> WSO2, Inc : http://wso2.com
>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
>> 20, Palmgrove Avenue, Colombo 3
>> E-Mail: ayesha@wso2.com <ayshsandu@gmail.com>
>>
>
>
>
> --
> Thanks & Regards,
>
> *Johann Dilantha Nallathamby*
> Technical Lead & Product Lead of WSO2 Identity Server
> Governance Technologies Team
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+94777776950*
> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>
[Attachment #5 (text/html)]
<div dir="ltr"> login permission is required for following \
gadgets<div><ul><li>Update user profile : It uses \
UserProfileMgtService</li><li>Setting security questions : It uses \
UserIdentityManagementAdminSer<wbr>vice</li><li>Change password : It uses \
UserIdentityManagementAdminSer<wbr>vice</li><li>Account \
association</li><li>Authorized Apps</li><li>Pending approvals (This is required some \
additional permission too)</li></ul><div>As you mentioned, we can remove \
authorization check in most of these gadgets. </div><div><br></div><div>so, +1 to \
remove<span style="font-size:12.8px"> the login permission requirement from user \
portal. I will be good for user experience. \
</span></div></div><div><br></div><div><br></div><div>Thanks</div><div>Isura. \
</div><div class="gmail_extra"><br clear="all"><div><div \
class="m_6433422043100509007gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div><div><b>Isura Dilhara \
Karunaratne<br></b></div><font color="#666666"><font \
style="background-color:rgb(255,255,255)">Senior Software Engineer | \
WSO2</font></font></div><div><div dir="ltr" style="font-size:12.8px"><div><font \
color="#666666">Email: <a href="mailto:isura@wso2.com" \
target="_blank">isura@wso2.com</a></font></div><font color="#666666">Mob : <a \
href="tel:%2B94%20772%20254%20810" value="+94772254810" target="_blank">+94 772 254 \
810</a></font></div><div dir="ltr" style="font-size:12.8px"><font \
color="#666666">Blog : <a href="http://isurad.blogspot.com/" \
target="_blank">http://isurad.blogspot.com/</a></font></div><div dir="ltr" \
style="font-size:12.8px"><br></div><font \
color="#666666"><br></font></div><div><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Oct 27, 2016 at 10:30 AM, Johann Nallathamby \
<span dir="ltr"><<a href="mailto:johann@wso2.com" \
target="_blank">johann@wso2.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Hi Isura,<div><br></div><div>Why do we need \
"login" permission for user portal? Only workflow approvals and user \
session termination we need some specific permissions. Shall we remove the \
requirement to have "login" permission to login to the user portal? I guess \
removing it from the portal might not be enough. Services such as user profile, \
account association, authorized apps also may need to be modified to check only for \
authentication.</div><div><br></div><div>Wdyt?</div></div><div \
class="gmail_extra"><div><div class="m_6433422043100509007h5"><br><div \
class="gmail_quote">On Thu, Oct 27, 2016 at 8:50 PM, Ayesha Dissanayaka <span \
dir="ltr"><<a href="mailto:ayesha@wso2.com" \
target="_blank">ayesha@wso2.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><span><div class="gmail_extra"><br><div \
class="gmail_quote">On Thu, Oct 27, 2016 at 6:56 PM, Johann Nallathamby <span \
dir="ltr"><<a href="mailto:johann@wso2.com" \
target="_blank">johann@wso2.com</a>></span> wrote:<br><blockquote \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex" class="gmail_quote">Why do we need to have login \
permission for "selfsignup" role. We don't need to. "login" \
permission is to login to management console. We don't expect self signup users \
to login to management console. They can only login to dashboard, and for that we \
should not need "login" permission. Can you check if dashboard functions \
without "login" permission.</blockquote></div><br></div></span><div \
class="gmail_extra">I tested removing 'login' permission from the \
"selfsignup" role and user is unable to login to dashboard app without \
'login' permission.<br></div><div class="gmail_extra"><br></div><div \
class="gmail_extra">With below logs in console,<br clear="all"></div><div \
class="gmail_extra"><div style="margin-left:40px">[2016-10-27 20:47:17,346] ERROR \
{org.wso2.carbon.identity.auth<wbr>enticator.saml2.sso.SAML2SSOAu<wbr>thenticator} - \
Authentication Request is rejected. Authorization Failure.<br>[2016-10-27 \
20:47:17,347] WARN \
{org.wso2.carbon.core.services<wbr>.util.CarbonAuthenticationUtil<wbr>} - Failed \
Administrator login attempt 'Ayesha[-1234]' at [2016-10-27 \
20:47:17,347+0530]<br></div><span><br><br><br>-- <br><div \
class="m_6433422043100509007m_-3872214719787856580m_8868720371349385149gmail_signature"><div><b \
style="font-size:9pt;line-height:17px;font-family:arial,sans-serif;background-color:rgb(255,255,255)"><font \
color="#000066">Ayesha Dissanayaka</font></b><br><div><div \
style="font-family:arial,sans-serif;font-size:12.7273px;background-color:rgb(255,255,255)"><div><span \
style="color:rgb(32,18,77)"><span \
style="font-family:arial,sans-serif;font-size:10.9091px;line-height:15px">Software \
Engineer,</span></span><font color="#ff9900"><span \
style="font-family:arial,sans-serif;font-size:10.9091px;line-height:15px"><br><span \
style="color:rgb(7,55,99)">WSO2, Inc : </span></span></font><span \
style="color:rgb(7,55,99)"><span \
style="font-family:arial,sans-serif;font-size:10.9091px;line-height:15px"><a \
dir="ltr" href="http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg" \
rel="nofollow noreferrer" target="_blank">http://wso2.com</a><br>20, Palmgrove \
Avenue, Colombo 3</span></span></div><div style="font-size:13px"><span \
style="color:rgb(7,55,99)"><font face="Arial, sans-serif"><span \
style="font-size:11px;line-height:15px">E-Mail: <a href="mailto:ayshsandu@gmail.com" \
target="_blank">ayesha@wso2.com</a><br></span></font></span></div></div></div></div></div>
</span></div></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span>-- <br><div \
class="m_6433422043100509007m_-3872214719787856580gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><span style="background-color:rgb(255,255,255)"><font \
color="#000000">Thanks & Regards,</font></span></div><div><span \
style="background-color:rgb(255,255,255)"><font \
color="#000000"><br></font></span></div><b>Johann<font color="#666666"> Dilantha \
Nallathamby</font></b><br><div><font color="#999999">Technical Lead & Product \
Lead of WSO2 Identity Server</font></div><div><font color="#999999">Governance \
Technologies Team</font></div><div><font color="#999999">WSO2, \
Inc.</font></div><div><font \
color="#999999">lean.enterprise.middleware</font></div><div \
style="color:rgb(136,136,136)"><br></div><div><font color="#999999">Mobile - <a \
value="+94773426635"><i>+94777776950</i></a></font></div><div><font \
color="#999999">Blog - <i><a href="http://nallaa.wordpress.com" \
target="_blank">http://nallaa.wordpress.com</a></i></font></div></div></div></div></div></div></div>
</span></div>
</blockquote></div><br></div></div>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic