Access to add and change pages is restricted. See:

From User Mailing list

I see the externalLoginKey but the log shows
Could not find userLogin for external login key: EL339616443508

You may be describing a well known issue, and one that is part of the way the externalLoginKey works (so it is not likely to change). The externalLoginKey allows you to automatically login to another webapp without a username/password. In order to do this a new login key is generated with EVERY request to the server in order to keep it's life cycle pretty short. As long as it is on a secure/https page when it goes to the browser it is pretty safe, but it generally comes back to the server in a URL and so needs to be invalidated immediately so that it cannot be used again, as that is pretty easy to snoop.

So, to make it not work is easy: just have a page open in your browser that has a stale externalLoginKey in its URLS.

1. load a page where you are authenticated in tab/window A
2. right click on a link within the webapp and open it in tab/window B
3. go back to tab/window A and click on any link that goes to a webapp that you are not already logged into and that has an externalLoginKey parameter

The externalLoginKey will be stale, so that auto-login will fail and you will be presented with the login form.


  • No labels