-
Bug
-
Resolution: Done
-
Major
-
6.4, 7.0, 7.1
-
None
-
2018 Week 42-44, 2018 Week 45-47
In Administration and Configuration Guide for BPM Suite 6.4. in section "12.1. BUSINESS CENTRAL AUTHENTICATION THROUGH RH-SSO", sub-section "12.1.4. Securing Business Central Remote Service Using RH-SSO" there's a part of web.xml about declaring roles that is missing all roles. This is what we find in the documentation currently:
<security-constraint> <web-resource-collection> <web-resource-name>remote-services</web-resource-name> <url-pattern>/rest/*</url-pattern> <url-pattern>/maven2/*</url-pattern> <url-pattern>/ws/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>rest-all</role-name> </auth-constraint> </security-constraint>
If users want to use roles permission with the REST API so we must declare all roles, otherwise the access for the other roles will always result in 403. Here's an example:
<security-constraint> <web-resource-collection> <web-resource-name>remote-services</web-resource-name> <url-pattern>/rest/*</url-pattern> <url-pattern>/maven2/*</url-pattern> <url-pattern>/ws/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>rest-all</role-name> <role-name>rest-project</role-name> <role-name>rest-deployment</role-name> <role-name>rest-process</role-name> <role-name>rest-process-read-only</role-name> <role-name>rest-task</role-name> <role-name>rest-task-read-only</role-name> <role-name>rest-query</role-name> <role-name>rest-client</role-name> </auth-constraint> </security-constraint>
This should be used for user who want to control the REST endpoints access using roles (RBAC).