Uploaded image for project: 'jBPM'
  1. jBPM
  2. JBPM-9489

PAM Authorisation Issue - REST Endpoints accessible to all logged in users - even those without the correct roles

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.48.0.Final
    • 7.46.0.Final
    • Console
    • None
    • False
    • False
    • NEW
    • NEW
    • Undefined
    • Hide

      1) 1. add new user "test" to RHPAM

      2)  ensure user "test" is assigned no roles

      ~~~~~~~~

      [abc@abc bin]$ cat /home/anijhawa/NotBackedUp/BPM/RHPAM7.8.1/jboss-eap-7.3/standalone/configuration/application-roles.properties
      test=abc

       

      ~~~~~~~

      3)  attempt to curl the PAM controller REST endpoint, using new "test" user with BASIC AUTH:

      ~~~~~

      $ curl -u 'test:test' http://localhost:8080/business-central/rest/controller/management/servers/default-kieserver/containers/
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <container-spec-list>
      ...(snip)...
      </container-spec-list>

       

      > EXPECTED RESULT: the curl should fail with a 403 or similar, indicating that it is unauthorised to access the REST endpoint

      > ACTUAL RESULT: the list of all process containers is returned - the user is authorised to access something that they should not

       

       

       

       

       

       

       

      Show
      1) 1. add new user "test" to RHPAM 2)  ensure user "test" is assigned no roles ~~~~~~~~ [abc@abc bin] $ cat /home/anijhawa/NotBackedUp/BPM/RHPAM7.8.1/jboss-eap-7.3/standalone/configuration/application-roles.properties test=abc   ~~~~~~~ 3)  attempt to curl the PAM controller REST endpoint, using new "test" user with BASIC AUTH: ~~~~~ $ curl -u 'test:test' http://localhost:8080/business-central/rest/controller/management/servers/default-kieserver/containers/ <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <container-spec-list> ...(snip)... </container-spec-list>   > EXPECTED RESULT: the curl should fail with a 403 or similar, indicating that it is unauthorised to access the REST endpoint > ACTUAL RESULT: the list of all process containers is returned - the user is authorised to access something that they should not              
    • ---
    • ---
    • 2020 Week 46-48 (from Nov 9), 2020 Week 49-51 (from Nov 30), 2020 Week 52-03 (from Dec 21)

       REST Endpoints accessible to all logged in users - even those without the correct roles.

       

      We can limit access to specific roles by adding a security-constraint into web.xml which will cover the endpoints you want to protect.

       <security-constraint>
 <web-resource-collection>
 <web-resource-name>REST web resources</web-resource-name>
 <url-pattern>/rest/controller/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>PUT</http-method>
 <http-method>POST</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>rest-all</role-name>
 <role-name>user</role-name>
 </auth-constraint>
 </security-constraint>

       

       

      I already share the steps in steps to Reproduce.

       

       

              xiabai@redhat.com Xiaofeng Bai
              xiabai@redhat.com Xiaofeng Bai
              Barbora Kapustova Barbora Kapustova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: