Custom %CSP.Login for app /csp/sys

Question

Question

#Authentication #Security #InterSystems IRIS

Hi guys, I defined a subclass to %CSP.Login and assigned csp/sys login page to this subclass:

But did not work, I get this error:

And more, the default %CSP.Login continues to be called to login when the user not logged yet
So, how can I do to replace the default %CSP.Login by my subclass?

Product version: IRIS 2022.3

Discussion (8)3

Log in or sign up to continue

Alexander Koblov · Mar 18

Yuri, enable ISCLOG, reproduce the error, disable ISCLOG and then check if it has any errors, e.g. errors.

%SYS>kill ^%ISCLOG, ^ISCLOG
%SYS>set ^%ISCLOG = 3
//reproduce the error
%SYS>set ^%ISCLOG = 0
%SYS>zw ^ISCLOG

Afaik, with custom login pages user CSPSystem needs to have READ permissions on a database where custom login page class is located

0 0

Alexander Koblov · Mar 19

Check carefully. Note -- in ^%ISCLOG (with percent) you enable the log. Then you read ^ISCLOG (without percent) in %SYS namespace.
When I repeated steps that I suggested to you, I saw the following error in ^ISCLOG

/* ERROR #5002: ObjectScript error: <PROTECT>^%CSP.Login.1 ^|^^c:\intersystems\iris2023x1\mgr\|dc.CustomLogin.1 */

Then I enabled auditing of Protect events, reproduced the eror and got more details:

Description:  Attempt to access a protected resource
Timestamp:    2023-03-19 16:01:38.000   Username:     CSPSystem
UTCTimestamp: 2023-03-19 15:01:38.000   Pid:          10896
Event Source: %System                   JobId/JobNum: 131089/17
Event Type:   %Security                 Session ID:   eK95W6SMCS
Event:        Protect                   IPAddress:    127.0.0.1
System ID:    DEP5570AKOBLOV:IRIS2023X1 Executable:   CSPa24.dll
Namespace:    %SYS                      Index:        196
Roles:
User Info:                              O/S User:     CSP Gateway
Routine:      ^%CSP.Login.1 |"^^c:\intersystems\iris2023x1\mgr\irislib\"|
Authentication: Password
Event Data:
<PROTECT>^%CSP.Login.1 *^|^^c:\intersystems\iris2023x1\mgr\|dc.CustomLogin.1

Indeed, user CSPSystem does not have READ permission on irissys database, where custom login class is located. Rather I should have created a new role that has only READ permission on %DB_IRISSYS resource, not RW.

I added role %DB_IRISSYS to user CSPSystem, closed connections from Apache to IRIS, so that the role is added on new connection, then login page began to work

0 0

score 0 · Answer 1 · 2023-03-17T18:15:13-04:00

Does it work if you call your class with full reference? I mean not for Login?
NOT found is suspicious somehow

score 0 · Answer 2 · 2023-03-21T14:40:15-04:00

yurimarx Marx · Mar 21

The value into Login Page field is right, the problem was CSPSystem permission

0 0

score 0 · Answer 3 · 2023-03-19T09:26:14-04:00

yurimarx Marx · Mar 19

Nothing, log empty. Very difficult to set up custom login, I've given up, thanks

0 0

score 0 · Answer 4 · 2023-03-21T14:39:20-04:00

yurimarx Marx · Mar 21

Worked! Thanks!

0 0

score 1 · Answer 5 · 2023-03-20T09:34:37-04:00

To create a custom CSP login page:

Ensure that the Web Gateway user (CSPSystem) has permissions to read the database for where the custom login page is located. Assign the desired database resource to an appropriate role, and then assign that role to the CSPSystem user.

See:
https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...

And...this is the demonstration that the feedback button in the documentation pages really does work!
I admit I ran into this problem sometime ago, after realizing the problem I felt the documentation had to mention that "detail"....so I pressed the feedback button and filed the request/advice.

Now that "detail" is the first step in the recipe of creating a custom login page.

Well done InterSystems Documentation team!

Now we only need to encourage people to actually read the documentation

Or search the community:
https://community.intersystems.com/post/custom-login-page-iris

Enrico

score 0 · Answer 6 · 2023-03-20T11:22:29-04:00

yurimarx Marx · Mar 20

I read this documentation and not detail how to fill the Login Page field

0 0