OpenMRS page redirection issues at login

Currently I’m running OpenMRS on my local system with the following environment setup:

  • Platform 1.11.4

  • OpenMRS reference application 2.3 modules (placed in application’s module directory)

  • Tomcat container to deploy openmrs.war

Issue:

  1. Hitting http://localhost:8080/openmrs in browser without any kind of extra interaction generates org.api.APIAuthenticationException
  2. Log-in as a high privilege user -> visit few high privilege pages -> log-out -> log-in as a low privilege user -> UI Framework Error -> Navigate back -> Redirects to home page -> generates org.api.APIAuthenticationException

The issue seems to be with the redirection code. The current implementation logs a new user to the system and redirects to the page: from where user had logged-off earlier or the page where session got expired.

In short when a low priority user accesses the same machine where a high priority user had logged-in earlier the system generates exceptions.

UI Framework Error Root Error org.openmrs.ui.framework.MissingRequiredParameterException: Required: app at org.openmrs.ui.framework.UiFrameworkUtil.determineArgumentValue(UiFrameworkUtil.java:233) at org.openmrs.ui.framework.UiFrameworkUtil.invokeMethodWithArguments(UiFrameworkUtil.java:98) at org.openmrs.ui.framework.UiFrameworkUtil.executeControllerMethod(UiFrameworkUtil.java:68) at org.openmrs.ui.framework.page.PageFactory.handleRequestWithController(PageFactory.java:216) at org.openmrs.ui.framework.page.PageFactory.processThisFragment(PageFactory.java:158) at org.openmrs.ui.framework.page.PageFactory.process(PageFactory.java:114) at org.openmrs.ui.framework.page.PageFactory.handle(PageFactory.java:84) at org.openmrs.module.uiframework.PageController.handlePath(PageController.java:115) at org.openmrs.module.uiframework.PageController.handleUrlWithDotPage(PageController.java:82) at sun.reflect.GeneratedMethodAccessor540.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:440) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:428) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:925) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:856) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:953) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:844) at javax.servlet.http.HttpServlet.service(HttpServlet.java:622) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:829) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.openmrs.module.web.filter.ForcePasswordChangeFilter.doFilter(ForcePasswordChangeFilter.java:61) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilterChain.java:72) at org.openmrs.module.web.filter.ModuleFilter.doFilter(ModuleFilter.java:54) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.openmrs.web.filter.OpenmrsFilter.doFilterInternal(OpenmrsFilter.java:109) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:230) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2463) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2452) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745)

1 Like

Could you please create an issue in JIRA under the RA project (possibly it needs to be fixed in the uiframework module, but I’m not sure)? Thanks!

While playing with the application I found that user with low privileges is also able to view pages which only a high privilege user should be able to view.

Steps to recreate the issue:

  1. Login as a system admin user -> Navigate to administration page -> Logout
  2. Login as a low privilege user (nurse/clerk) -> User redirected to administration page

The above scenario clearly explains that a low privilege user is allowed to view administration page which can never ever be allowed.

I think Parth is right, privileges checks in the new UI are not widely used on pages like we did in the old UI and that needs to be fixed

There are a couple of different issues here:

  1. The doctor, nurse, clerk, etc users that are created as part of the demo data are given very high API privileges (more than really should be the case in real life). This would be tedious but straightforward to fix…

  2. More of our UI screens in the reference application should do explicit privilege checks, instead of. (This is what Wyclif is getting at.) It will be very quick to add a few high value privilege checks.

Probably fixing either of these would address the specific issue Parth mentions. I’d say the second is worth spending some time on. There is a lot of low hanging fruit here.

Parth or Wyclif, can one of you create an RA ticket for this?

I just created: https://issues.openmrs.org/browse/RA-975

I am having this same problem. Is there a quick fix for this. The ticket is not yet ready for work. Can anyone please point me to possible places in the code to look at to fix this. :smile:

I’ve posted a quick fix on: https://issues.openmrs.org/browse/RA-975

1 Like