Cannot login when anonymous user is activated
we have a big problem that users cannot login on the web ui when we activate the anonymous user. Even logging out and using the login form, the user is authenticated as anonymous and not with its credentials.
Authentication via REST API works.
Could it be that anonymous authentication is tried before basic auth? Can we change this behaviour?
Update: I found out that a subsequent fetch of 'ui/sw.js' from login.js triggers the new authentication that mixes up the login page.
Sorry to resurrect this old thread of mine, but I still got this problem. The order in the
authenticationChain is just like you described. I even tested it the other way around (just a sanity check).
I can confirm this works as it should when using the REST API. But for the Web UI in the browser, it's a different story.
Digging through debug logs and the NuxeoAuthenticationFilter code my guess is this:
- logging out correctly invalidates the cachableUserIdent and redirects to /ui with
forceAnonymousLoginforces a redirect to login.jsp
- login.jsp shows the form for username and password
BUT before I even type in my credentials I can see in the logs that I am authenticated as anonymous user. In the next step (submitting the form) this bypasses the “Authentication Filter” with “userIdent found in cache, get the Principal from it without reloggin”
So something in between logging out and showing login.jsp triggers authentication (which succeeds because of ANONYMOUS_AUTH) and prevents the credentials from being used after all.
Sidenote: When I am on the login.jsp page and remove the JSESSIONID cookie it works. My guess is this invalidates the userIdent caching.
The Nuxeo Platform will use the plugins in the order they are chained up until one is successful. So make sure the
<plugin>ANONYMOUS_AUTH</plugin> in the
<authenticationChain> is called after