Anonymous user visits, or is redirected to, Login page

1. User Login failure cancel Anonymous user visits, or is redirected to, Login page LoginPage:User submits username / password Spring Security checks against either Embedded user store or LDAP (configured) User has Bugle profile? NewProfilePage:User submits displayName and email to create new profile success, LDAP login no success, embedded failure yes success Bugle profile was previously created Store Bugle profile as security principal in session. Update last login date. User redirected to page he was trying to view, or default landing page.

2. User Create Account (Embedded User Store only) failure LoginPage: Anonymous user clicks “New Account” NewAccountPage: User provides username and email for active profile Profile saved. App sends link to email for final verification User redirected to LoginPage with “email sent” message success cancel failure Anonymous user receives email and follows the verification link Is link valid? NewEmbeddedUserPage: User sets new password Password encrypted and saved User redirected to LoginPage with “verify success” message yes success no cancel Unverified profiles occasionally deleted User redirected to LoginPage with “could not verify” message periodic

3. User Change Password (Embedded User Store only) cancel Password encrypted and saved User redirected to ViewProfilePage with “changed” status message Any Page: Logged-In user clicks on their name in the header ViewProfilePage: Page displays summary profile of user’s Bugle profile. User clicks ChangePassword ChangePasswordPage: User sets current, new, and confirm password success back failure

4. User Reset Password (Embedded User Store only) failure LoginPage: Anonymous user clicks “Password Reset” PasswordReset Page: User provides username for active profile App creates token for reset action and sends link with token to email associated with that username User redirected to LoginPage with “email sent” message success cancel failure Anonymous user receives email and follows the token-based link Is link valid? PasswordChangePage: User changes password without knowledge of current one Password encrypted and saved User redirected to LoginPage with “password reset” message yes success no cancel User redirected to LoginPage with “password not reset” message

5. User Edit Profile cancel Any Page: Logged-In user clicks on their name in the header ViewProfilePage: Page displays summary profile of user’s Bugle profile. User clicks Edit EditProfilePage: User changes display name, email, etc. User redirected to ViewProfile Page with “saved” status message success back failure