Partial login to admin console without password

I’m seeing something strange (possible bug), and was wondering if anyone else can replicate or knows how to fix this. This happens on my dev server (Linux) and production server (Solaris), and with both Firefox and IE. Using Openfire 3.6.4, using Clearspace Integration with Jive SBS 4.5.3.

The problem is when I try to log in to the Openfire Admin Console. If I use the correct username of an admin user, but an incorrect password, the following happens:

  1. 1st login attempt, I get the following error message and am returned to the login page: “Clearspace unreachable: make sure Clearspace is up and running or click the login button again to change Openfire configuration.”

  2. I leave the same username, can change the password as long as I’m still using an incorrect password, and the login appears to succeed. However it brings me to the clearspace integration/connection settings page with an error message “Openfire is not able to connect to that URI. Use the test button for more information.” The URI and shared secret fields are filled in, although the latter is labeled “Shared Secret null” and the text is not visible since it’s a password field.

  3. Optional: Without changing any of the settings, I click “Test Settings”, and the site shows me the message that says it works, and I should click continue.

  4. I click “Save & Continue”. I am brought back to the login page. If I changed the settings on the previous page, they don’t appear to stick.

I can repeat these steps over and over if I want to.

Probably not too harmful, but it makes me very uncomfortable security-wise.

Maybe you should report this to Jive SBS team? Personally i dont use SBS, so i can’t test this and i haven’t seen partial login with just Openfire.

I have reported it to them too. I wasn’t sure if this was an SBS issue or an Openfire issue. Thanks for trying it out even though it was just with Openfire.

The SBS team’s answer is that this is not a problem because the user is not actually logged in, so they can’t get to any other functionality or change any settings.