[prev in list] [next in list] [prev in thread] [next in thread]
List: wsas-java-dev
Subject: [Dev] MS IE 11 login problems with WSO2 IS 5.4.*
From: Roman CHRENKO <Roman_CHRENKO () tempest ! sk>
Date: 2018-02-27 16:49:47
Message-ID: ade4de832bff4e5a89bb712e36fc9a16 () tempest ! sk
[Download RAW message or body]
Hello support.
I tried to configure Identity Server 5.4.1.* (I tried versions 5.4.1 update 1, 2 or \
3), but mostly I cannot login to protected pages. 9 of 10 tests fail, 1 test passes \
OK. Our pages are protected by Shibboleth SP. When we use WSO2 IS 5.3.0 with updates \
from 10/2017 everything worked OK. I tried also 5.4.0 update 6 and there were the \
same problems, although not too often. After some tests I found out that the problem \
is only with MS IE 11 (I didn't test older MS IE versions). With the latest versions \
of Firefox, Opera and Chrome login works fine against 5.4.1.3 (I assume that also \
with other 5.4.* version). During the tests my SP configuration wasn't changed. As a \
policy enforcement point we use Shibboleth SP 2.6.1 (Centos 7.3) and its \
configuration has been stable for several months (with IS 5.3.0).
Both 5.4.* versions show very strange behaviour when tested with MS IE 11: I see in \
Fiddler proxy that my username/password is sent twice to the WSO2 IS server. Both \
HTTP responses have status = 200, both contain SAMLResponse in the body, both \
Response.Status = Success, but the 1st response contains AttributeStatement with all \
attributes which I defined in SP-Claims screen. The 2nd response doesn't contain any \
AttributeStatement. Only the 2nd SAMLResponse (the worse one), without attributes, is \
sent by my browser to the SP. When some Claims are mandatory, the second response is \
considered as incomplete and the user is redirected to \
https:///WSO2IS-hostname/authenticationendpoint/claims.do?missingClaims<https://WSO2IS-hostname/authenticationendpoint/claims.do?missingClaims>=.... \
After submitting the form with missing claims there is NullPointerException in the \
wso2carbon.log, but it is only follow-up problem.
The primary problem is, that the login form (in login screen) is submitted twice for \
MS IE 11. It looks like there are two listeners registered to the onClick event of \
HTML element "button" (or something similar). But I am not Javascript expert.
I found at your page https://docs.wso2.com/display/compatibility/Tested+Web+Browsers \
that MS IE is not between tested browsers for WSO2 IS 5.4.0. But I think that it is \
still one of the most used browsers and you could solve this problem.
I found workarround for MS IE (and Edge). I updated \
${CARBON_HOME}/repository/deployment/server/webapps/authenticationendpoint/basicauth.jsp: \
javascript function submitCredentials(): Before change:
function submitCredentials () {
var userName = document.getElementById("username");
userName.value = userName.value.trim();
if(userName.value){
document.getElementById("loginForm").submit();
}
}
After change:
function submitCredentials (event) {
var userName = document.getElementById("username");
userName.value = userName.value.trim();
if(userName.value){
document.getElementById("submitbtn").disabled = true;
var ua = window.navigator.userAgent;
var ms_ie = ua.indexOf('MSIE ');
var ms_ie_trident = ua.indexOf('Trident/');
var ms_edge = ua.indexOf('Edge/');
if ( (ms_ie > -1) || (ms_ie_trident > -1) || (ms_edge > -1) ) {
event.preventDefault();
}
document.getElementById("loginForm").submit();
}
}
I also added attributes name and id to element button: <button name="submitbtn" \
id="submitbtn"... Avoid using id="submit" for element button.
Chrome had some problem with it - disabling element button by
document.getElementById("submit").disabled = true;
completely disabled also form submitting function.
But I have doubts about whether it is right solution.
Best regards,
Roman Chrenko
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.shorttext
{mso-style-name:short_text;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="SK" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hello support.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I tried to configure Identity Server 5.4.1.* \
(</span>I tried versions 5.4.1 update 1, 2 or 3), but mostly I cannot login to \
protected pages. 9 of 10 tests fail, 1 test passes OK. Our pages are protected by \
Shibboleth SP. When we use WSO2 IS 5.3.0 with updates from 10/2017 everything worked \
OK. I tried also 5.4.0 update 6 and there were the same problems, although not too \
often. After some tests I found out that the problem is only with MS IE 11 (I \
didn<span lang="EN-US">'t test </span>older MS IE versions). With the latest \
versions of Firefox, Opera and Chrome login works fine against 5.4.1.3 (I assume that \
also with other 5.4.* version). During the tests my SP configuration wasn<span \
lang="EN-US">'t </span>changed. As a policy enforcement point we use Shibboleth SP \
2.6.1 (Centos 7.3) and its configuration has been stable for several months (with IS \
5.3.0).<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Both 5.4.* versions show very strange behaviour when tested with \
MS IE 11: I see in Fiddler proxy that my username/password is sent twice to the WSO2 \
IS server. Both HTTP responses have status = 200, both contain SAMLResponse in the \
body, both Response.Status = Success, but the 1st response contains \
AttributeStatement with all attributes which I defined in SP-Claims screen. The 2nd \
response doesn<span lang="EN-US">'t </span>contain any \
AttributeStatement.<o:p></o:p></p> <p class="MsoNormal">Only the 2nd SAMLResponse \
(the worse one), without attributes, is sent by my browser to the SP. <o:p></o:p></p>
<p class="MsoNormal">When some Claims are mandatory, the second response is \
considered as incomplete and the user is redirected to <a \
href="https://WSO2IS-hostname/authenticationendpoint/claims.do?missingClaims"> \
https:///WSO2IS-hostname/authenticationendpoint/claims.do?missingClaims</a>=.... \
After submitting the form with missing claims there is NullPointerException in the \
wso2carbon.log, but it is only <span class="shorttext"><span \
lang="EN">follow-up</span><span lang="EN"> </span></span>problem.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">The primary problem is, \
that the login form (in login screen) is submitted twice for MS IE 11. It looks like \
there are two listeners registered to the onClick event of HTML element \
"button" (or something similar). But I am not Javascript \
expert.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I found at your page <a \
href="https://docs.wso2.com/display/compatibility/Tested+Web+Browsers"> \
https://docs.wso2.com/display/compatibility/Tested+Web+Browsers</a> that MS \
IE is not between tested browsers for WSO2 IS 5.4.0. But I think that it is still one \
of the most used browsers and you could solve this problem.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">I found workarround for \
MS IE (and Edge). I updated \
${CARBON_HOME}/repository/deployment/server/webapps/authenticationendpoint/basicauth.jsp: \
javascript function submitCredentials():<o:p></o:p></p> <p class="MsoNormal">Before \
change:<br> function submitCredentials () \
{<o:p></o:p></p> <p class="MsoNormal"> \
var userName = document.getElementById("username");<o:p></o:p></p> <p \
class="MsoNormal"> \
userName.value = userName.value.trim();<o:p></o:p></p> <p \
class="MsoNormal"> \
if(userName.value){<o:p></o:p></p> <p \
class="MsoNormal"> \
document.getElementById("loginForm").submit();<o:p></o:p></p> <p \
class="MsoNormal"> \
}<o:p></o:p></p> <p class="MsoNormal"> \
}<o:p></o:p></p> <p class="MsoNormal">After change:<br>
function submitCredentials (event) {<br>
var userName = \
document.getElementById("username");<br> \
userName.value = \
userName.value.trim();<br> \
\
if(userName.value){<br> \
\
document.getElementById("submitbtn").disabled = true;<br> \
\
var ua = window.navigator.userAgent;<br> \
\
var ms_ie = ua.indexOf('MSIE ');<br> \
\
var ms_ie_trident = ua.indexOf('Trident/');<br> \
\
var ms_edge = ua.indexOf('Edge/');<br> \
\
if ( (ms_ie > -1) || (ms_ie_trident > -1) || (ms_edge > -1) ) {<br> \
\
event.preventDefault();<br> \
\
}<br> \
document.getElementById("loginForm").submit();<br> \
}<br> \
}<o:p></o:p></p> <p class="MsoNormal">I \
also added attributes name and id to element button: <button \
name="submitbtn" id="submitbtn"...<o:p></o:p></p> <p \
class="MsoNormal">Avoid using id="submit" for element \
button.<o:p></o:p></p> <p class="MsoNormal">Chrome had some problem with it - \
disabling element button by<o:p></o:p></p> <p \
class="MsoNormal">document.getElementById("submit").disabled = \
true;<o:p></o:p></p> <p class="MsoNormal">completely disabled also form submitting \
function.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">But <span class="shorttext"><span lang="EN">I have doubts about \
whether it is right solution.</span></span><o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Best \
regards,<o:p></o:p></p> <p class="MsoNormal">Roman Chrenko<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
--===============5004215891869753863==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic