Uploaded image for project: 'jBPM'
  1. jBPM
  2. JBPM-10039

Incorrect groups are returned when "org.kie.server.bypass.auth.user" is set and JAASUserGroupCallbackImpl is used

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.68.0.Final
    • None
    • None
    • None
    • False
    • False
    • NEW
    • NEW
    • Hide
      • Enable `org.kie.server.bypass.auth.user`
      • Assign a groupId to a task
      • Try to fetch a particular task by calling potOwner, passing a userId which belongs to the groupId.

      Make sure the user authenticated is different than the userId pass in the call to kie-server and it does not belong to the groupId assigned to the task.

      An integration test can be found here, though make sure, the UserGroupCallback implementation used is `JAASUserGroupCallbackImpl`

      Show
      Enable `org.kie.server.bypass.auth.user` Assign a groupId to a task Try to fetch a particular task by calling potOwner, passing a userId which belongs to the groupId. Make sure the user authenticated is different than the userId pass in the call to kie-server and it does not belong to the groupId assigned to the task. An integration test can be found here , though make sure, the UserGroupCallback implementation used is `JAASUserGroupCallbackImpl`

      Incorrect groups for a particular user passed as parameter are returned from `getGroupsForUser` method in `JAASUserGroupCallbackImpl` implementation class [1].

      This is causing issues when we have bypass property `org.kie.server.bypass.auth.user` enabled and try to fetch tasks assigned to a particular user/group (getTasksAsPotentialOwner, getTasksAssignedAsBusinessAdministrator, getCaseTasksAssignedAsStakeholder, etc.) as we will be getting only the groups belonging to the authenticated user instead to the parameter userId passed as parameter.

      For instance, when bypass is enabled and we try to fetch the tasks assigned as potential owner for a task assigned to a group, with JAASUserGroupCallbackImpl:

      • It will retrieve the groupIds belonging to a user by calling `getCallbackUserRoles` method[2] 
      • `getCallbackUserRoles` method, will invoke `getGroupsForUser` method from the `JAASUserGroupCallbackImpl` impl class[3].
      • The groups fetched are from the authenticated users and not from the userId passed as argument.

      [1] https://github.com/kiegroup/jbpm/blob/main/jbpm-human-task/jbpm-human-task-core/src/main/java/org/jbpm/services/task/identity/JAASUserGroupCallbackImpl.java#L111

      [2] https://github.com/kiegroup/jbpm/blob/main/jbpm-case-mgmt/jbpm-case-mgmt-impl/src/main/java/org/jbpm/casemgmt/impl/CaseRuntimeDataServiceImpl.java#L641

      [3] https://github.com/kiegroup/jbpm/blob/main/jbpm-human-task/jbpm-human-task-core/src/main/java/org/jbpm/services/task/identity/JAASUserGroupCallbackImpl.java#L111

              rhn-support-egonzale Enrique Gonzalez Martinez (Inactive)
              rhn-support-egonzale Enrique Gonzalez Martinez (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: