Redirecting to login page when id admin password other than test

#1

Hi,

I’ve changed idm admin password used for executing the REST calls to the IDM Rest services so I’ve changed
FLOWABLE_COMMON_APP_IDM-ADMIN.PASSWORD in every service and put FLOWABLE_IDM_APP_ADMIN_PASSWORD property to flowable-idm configuration.

Here is my docker compose file ( it’s modeler-task-idm-admin-postgres.yml with my emboldened changes):

version: '3.6'

services:
flowable-modeler-app:
image: flowable/flowable-modeler
container_name: flowable-modeler
depends_on:
- flowable-db
- flowable-idm-app
- flowable-task-app
environment:
- SERVER_PORT=8888
- SPRING_DATASOURCE_DRIVER-CLASS-NAME=org.postgresql.Driver
- SPRING_DATASOURCE_URL=jdbc:postgresql://flowable-db:5432/flowable
- SPRING_DATASOURCE_USERNAME=flowable
- SPRING_DATASOURCE_PASSWORD=flowable
- FLOWABLE_COMMON_APP_IDM-URL=http://flowable-idm-app:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-REDIRECT-URL=http://localhost:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-ADMIN.USER=admin
- FLOWABLE_COMMON_APP_IDM-ADMIN.PASSWORD=kZ2uekjn4u
- FLOWABLE_MODELER_APP_DEPLOYMENT-API-URL=http://flowable-task-app:9999/flowable-task/app-api
ports:
- 8888:8888
entrypoint: ["./wait-for-something.sh", “flowable-db”, “5432”, “PostgreSQL”, “java”, “-jar”, “app.war”]
flowable-task-app:
image: flowable/flowable-task
container_name: flowable-task
depends_on:
- flowable-db
- flowable-idm-app
environment:
- SERVER_PORT=9999
- SPRING_DATASOURCE_DRIVER-CLASS-NAME=org.postgresql.Driver
- SPRING_DATASOURCE_URL=jdbc:postgresql://flowable-db:5432/flowable
- SPRING_DATASOURCE_USERNAME=flowable
- SPRING_DATASOURCE_PASSWORD=flowable
- FLOWABLE_COMMON_APP_IDM-URL=http://flowable-idm-app:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-REDIRECT-URL=http://localhost:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-ADMIN.USER=admin
- FLOWABLE_COMMON_APP_IDM-ADMIN.PASSWORD=kZ2uekjn4u
ports:
- 9999:9999
entrypoint: ["./wait-for-something.sh", “flowable-db”, “5432”, “PostgreSQL”, “java”, “-jar”, “app.war”]
flowable-idm-app:
image: flowable/flowable-idm
container_name: flowable-idm
depends_on:
- flowable-db
environment:
- SERVER_PORT=8080
- SPRING_DATASOURCE_DRIVER-CLASS-NAME=org.postgresql.Driver
- SPRING_DATASOURCE_URL=jdbc:postgresql://flowable-db:5432/flowable
- SPRING_DATASOURCE_USERNAME=flowable
- SPRING_DATASOURCE_PASSWORD=flowable
- FLOWABLE_IDM_APP_ADMIN_PASSWORD=kZ2uekjn4u
ports:
- 8080:8080
entrypoint: ["./wait-for-something.sh", “flowable-db”, “5432”, “PostgreSQL”, “java”, “-jar”, “app.war”]
flowable-admin-app:
image: flowable/flowable-admin
container_name: flowable-admin
depends_on:
- flowable-db
- flowable-idm-app
- flowable-task-app
environment:
- SERVER_PORT=9988
- SPRING_DATASOURCE_DRIVER-CLASS-NAME=org.postgresql.Driver
- SPRING_DATASOURCE_URL=jdbc:postgresql://flowable-db:5432/flowable
- SPRING_DATASOURCE_USERNAME=flowable
- SPRING_DATASOURCE_PASSWORD=flowable
- FLOWABLE_COMMON_APP_IDM-URL=http://flowable-idm-app:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-REDIRECT-URL=http://localhost:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-ADMIN.USER=admin
- FLOWABLE_COMMON_APP_IDM-ADMIN.PASSWORD=kZ2uekjn4u
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_PROCESS_SERVER-ADDRESS=http://flowable-task-app
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_PROCESS_PORT=9999
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_PROCESS_CONTEXT-ROOT=flowable-task
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_PROCESS_REST-ROOT=process-api
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CMMN_SERVER-ADDRESS=http://flowable-task-app
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CMMN_PORT=9999
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CMMN_CONTEXT-ROOT=flowable-task
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CMMN_REST-ROOT=cmmn-api
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_DMN_SERVER-ADDRESS=http://flowable-task-app
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_DMN_PORT=9999
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_DMN_CONTEXT-ROOT=flowable-task
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_DMN_REST-ROOT=dmn-api
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_FORM_SERVER-ADDRESS=http://flowable-task-app
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_FORM_PORT=9999
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_FORM_CONTEXT-ROOT=flowable-task
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_FORM_REST-ROOT=form-api
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CONTENT_SERVER-ADDRESS=http://flowable-task-app
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CONTENT_PORT=9999
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CONTENT_CONTEXT-ROOT=flowable-task
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CONTENT_REST-ROOT=content-api
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_APP_SERVER-ADDRESS=http://flowable-task-app
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_APP_PORT=9999
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_APP_CONTEXT-ROOT=flowable-task
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_APP_REST-ROOT=app-api
ports:
- 9988:9988
entrypoint: ["./wait-for-something.sh", “flowable-db”, “5432”, “PostgreSQL”, “java”, “-jar”, “app.war”]
flowable-db:
image: postgres:9.6-alpine
container_name: flowable-postgres
environment:
- POSTGRES_PASSWORD=flowable
- POSTGRES_USER=flowable
- POSTGRES_DB=flowable
ports:
- 5433:5432
command: postgres

Then I run docker-compose up.
I see that I have user in database with correct password and full privileges.

I can log into idm app (http://localhost:8080/flowable-idm/) with admin/kZ2uekjn4u but when I try to log in to any other app (with the same credentials) it always redirects me to login page without any message.
I can log in to the other apps when I change password (from idm app) to the default one - “test”.

Can you help me ? Did I missed something ?
I can’t understand how it works.
Is there something hard coded (“test” password) ?

Redirect issue at login
#2

Hi,

No. The password is not hard coded.
I tested it and I’m experiencing the same thing when running with docker compose.
It seems to be related with setting the REST password in the docker compose config. (It’s working running standalone)
I have to investigate this further.

Regards,

Yvo

#3

Can you try setting the password with FLOWABLE_COMMON_APP_IDM-ADMIN_PASSWORD instead of FLOWABLE_COMMON_APP_IDM-ADMIN.PASSWORD the _ instead of . in the property?

#4

Hi @filiphr

Exactly. It’s the reason. When there is “.” in env property default value is loaded from flowable-default.properties
I’ve stared debugging spring apps from docker images :stuck_out_tongue: and found that RemoteIdmServiceImpl constructor is feeded with admin/test credentials.

#5

Since I’ve already gone through that case, maybe I’ll describe how I debug applications.

  1. Clone flowable repository
  2. git checkout flowable-6.3.1
  3. Add -agentlib:jdwp=transport=dt_socket,address=8001,server=y,suspend=n to i.e. flowable-modeler-app service in docker compose. Should look similar to this one:

flowable-modeler-app:
image: flowable/flowable-modeler
container_name: flowable-modeler
depends_on:
- flowable-db
- flowable-idm-app
- flowable-task-app
environment:
- SERVER_PORT=8888
- SPRING_DATASOURCE_DRIVER-CLASS-NAME=org.postgresql.Driver
- SPRING_DATASOURCE_URL=jdbc:postgresql://flowable-db:5432/flowable
- SPRING_DATASOURCE_USERNAME=flowable
- SPRING_DATASOURCE_PASSWORD=flowable
- FLOWABLE_COMMON_APP_IDM-URL=http://flowable-idm-app:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-REDIRECT-URL=http://localhost:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-ADMIN.USER=admin
- FLOWABLE_COMMON_APP_IDM-ADMIN.PASSWORD=kZ2uekjn4u
- FLOWABLE_MODELER_APP_DEPLOYMENT-API-URL=http://flowable-task-app:9999/flowable-task/app-api
ports:
- 8888:8888
- 8001:8001
entrypoint: ["./wait-for-something.sh", “flowable-db”, “5432”, “PostgreSQL”, “java” ,"-agentlib:jdwp=transport=dt_socket,address=8001,server=y,suspend=n", “-jar”, “app.war”]

Note there are still dots in env properties (LOWABLE_COMMON_APP_IDM-ADMIN.USER, LOWABLE_COMMON_APP_IDM-ADMIN.USER). Do not copy whole service configuration :slight_smile:

  1. Run Remote debug from IDE (Intellij/Eclipse). Like this one:
    http://i.imgur.com/mpDeQbg.png
#6

Hi,

I’ve made a PR - https://github.com/flowable/flowable-engine/pull/1254

Thanks guys for your time.

#7

Thanks for the PR and the pointer for the debugging @rgorzkowski

One pointer from me. Whenever there are issues with the environment I always try the actuator/env and actuator/configprops from the Spring Boot properties. The first one gives you insight into how the environment looks like (which properties are set) and the second one gives you insight into the actual @ConfigurationProperties beans and their values.

Cheers,
Filip

2 Likes
#8

Hi everybody,

I am running into a very similar and seeminlgy related issue with similar symptoms. I hope someone can shed some light on this as it probably affects a series of “newbies”.

I wanted to try flowable on my docker environment and, since I want it exposed to the internet, wanted to at least change the default admin password. I am able to change it, but as soon as I do, all flowable-modeler, flowable-admin etc redirect to the flowable-idm login page. If I don’t touch the admin test configuration all works fine, but as soon as in flowable-idm I do any change on the admin user (rename, disable, change password), I can’t login anymore. This is obviously undesirable since I am running it exposed to the internet.

My configuration
I try to run it as simply as possible so I can easily test it. I am not using compose (for a variety of reasons) but plain vanilla docker:

docker run --restart=on-failure:10 --name flowable -p 1111:8080 -e FLOWABLE_COMMON_APP_IDM-URL=https://flowable.mydomain.net/flowable-idm -e FLOWABLE_COMMON_APP_IDM-REDIRECT-URL=https://flowable.mydomain.net/flowable-idm -l “traefik.frontend.entryPoints=https” -l “traefik.frontend.rule=Host:flowable.mydomain.net” -l “traefik.enable=true” -l “traefik.port=8080” --network internet_exposed_network -d flowable/all-in-one

You can ignore the Traefik parameters, they merely configure the reverse proxy so I get automatic SSL and can access flowable from the internet. This is basically little more than the basic run command that also the instructions on https://hub.docker.com/r/flowable/all-in-one show and that I would expect to suffice.

What I tried
I tried a variety of options: I tried using postgres (as per the flowable/all-in-one compose file), setting the user and password as environment variables (setting FLOWABLE_COMMON_APP_IDM-ADMIN.USER and FLOWABLE_COMMON_APP_IDM-ADMIN.PASSWORD - trying both with dot and without - nothing changed, the default password staid at admin test) and reading through this forum finding any solution that may help. Nothing in the logs jumped out at me.

The question
Does anyone know how to solve this? My impression is that my docker comand shown above should be able to run a test version of flowable. Or am I missing some important configruation?

#9

Ref: How To: Flowable and LDAP

I use an environment file to pass properties to the Docker container:

#
# DEFAULT ADMINISTRATOR ACCOUNTS
#

FLOWABLE_IDM_APP_ADMIN_USER_ID=flowable
FLOWABLE_IDM_APP_ADMIN_PASSWORD=test
FLOWABLE_IDM_APP_ADMIN_FIRST_NAME=Flowable
FLOWABLE_IDM_APP_ADMIN_LAST_NAME=Administrator
FLOWABLE_IDM_APP_ADMIN_EMAIL=admin@flowable.org

FLOWABLE_COMMON_APP_IDM_ADMIN_USER=flowable
FLOWABLE_COMMON_APP_IDM_ADMIN_PASSWORD=test

#
# LDAP
#

FLOWABLE_IDM_LDAP_ENABLED=true
FLOWABLE_IDM_LDAP_SERVER=ldap://host.docker.internal
FLOWABLE_IDM_LDAP_PORT=10389
FLOWABLE_IDM_LDAP_USER=cn=admin,dc=flowable,dc=org
FLOWABLE_IDM_LDAP_PASSWORD=secret
FLOWABLE_IDM_LDAP_BASE_DN=dc=flowable,dc=org
FLOWABLE_IDM_LDAP_USER_BASE_DN=ou=users,dc=flowable,dc=org
FLOWABLE_IDM_LDAP_GROUP_BASE_DN=ou=groups,dc=flowable,dc=org
FLOWABLE_IDM_LDAP_QUERY_USER_BY_ID=(&(objectClass=inetOrgPerson)(uid={0}))
FLOWABLE_IDM_LDAP_QUERY_USER_BY_FULL_NAME_LIKE=(&(objectClass=inetOrgPerson)(|({0}=*{1}*)({2}=*{3}*)))
FLOWABLE_IDM_LDAP_QUERY_ALL_USERS=(objectClass=inetOrgPerson)
FLOWABLE_IDM_LDAP_QUERY_GROUPS_FOR_USER=(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))
FLOWABLE_IDM_LDAP_QUERY_ALL_GROUPS=(objectClass=groupOfUniqueNames)
FLOWABLE_IDM_LDAP_QUERY_GROUP_BY_ID=(&(objectClass=groupOfUniqueNames)(uniqueId={0}))
FLOWABLE_IDM_LDAP_ATTRIBUTE_USER_ID=uid
FLOWABLE_IDM_LDAP_ATTRIBUTE_FIRST_NAME=cn
FLOWABLE_IDM_LDAP_ATTRIBUTE_LAST_NAME=sn
FLOWABLE_IDM_LDAP_ATTRIBUTE_EMAIL=mail
FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_ID=cn
FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_NAME=cn
FLOWABLE_IDM_LDAP_CACHE_GROUP_SIZE=10000
FLOWABLE_IDM_LDAP_CACHE_GROUP_EXPIRATION=180000

To launch the flowable/all-in-one (SNAPSHOT) image:

docker run -p 8080:8080 \
  --env-file ldap-env.txt \
  flowable/all-in-one:6.5.0-SNAPSHOT
#10

Hi @slist

Y wrote that you changed common app idm admin user and password (btw. there is a typo in properties name. You should use underscore instead of a dot in ADMIN.PASSWORD and same in ADMIN.PASSWORD). Those properties are used while executing REST calls to the IDM Rest services (i.e. in flowable-admin app).

You have to set FLOWABLE_IDM_APP_ADMIN_PASSWORD if you want to change the password of the admin user. If you want to change id of the admin user you should pass FLOWABLE_IDM_APP_ADMIN_USER-ID.

When you change those properties be mindful of changing FLOWABLE_COMMON_APP_IDM-ADMIN_USER , FLOWABLE_COMMON_APP_IDM-ADMIN_PASSWORD and also below properties if you want to work with flowable-admin:

  • FLOWABLE_ADMIN_APP_SERVER-CONFIG_PROCESS_PASSWORD
  • FLOWABLE_ADMIN_APP_SERVER-CONFIG_CMMN_PASSWORD
  • FLOWABLE_ADMIN_APP_SERVER-CONFIG_DMN_PASSWORD
  • FLOWABLE_ADMIN_APP_SERVER-CONFIG_FORM_PASSWORD
  • FLOWABLE_ADMIN_APP_SERVER-CONFIG_CONTENT_PASSWORD
  • FLOWABLE_ADMIN_APP_SERVER-CONFIG_APP_PASSWORD