Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 6.2.1
Affects Version/s: 6.2.0
Component/s: Business Central
Labels:
None

Bugzilla References:
https://bugzilla.redhat.com/show_bug.cgi?id=1295537
CDW devel_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Fix Build:
CR1
Target Release:

6.2.1.GA

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

+++ This bug was initially created as a clone of Bug #1283109 +++

Description of problem:
When you try to execute some commands through REST API with a user without any REST-specific role, you will get SUCCESS response on WebSphere and WebLogic.

Version-Release number of selected component (if applicable):
6.2.0 ER5

Steps to Reproduce:
1. Set up BPMS on WebSphere or WebLogic
2. Create a user without any rest role
3. Try to execute some command with this user

Actual results:
No exception and SUCCESS response.

Expected results:
Exception should be thrown

Additional info:
We have it covered by these tests:
https://gitlab.mw.lab.eng.bos.redhat.com/bxms/brms/blob/master/test-jbpm-integration/src/test/java/org/jboss/qa/bpms/jbpm/integration/security/RestApiRoleAccessTest.java

All the *AccessDenied tests pass on EAP and EWS but fail on WebSphere and WebLogic.

— Additional comment from Tomas Livora on 2015-11-18 04:55 EST —

See that there is for example an attempt to claim the task by a user that should not be allowed to use REST API.

— Additional comment from Tomas Livora on 2015-11-18 05:33 EST —

The behaviour slightly differs on WebSphere. The following exception is thrown on the client side:

org.jboss.resteasy.client.ClientResponseFailure: RESTEASY001380: Input stream was empty, there is no entity

Note that all these tests use REST directly (without RemoteRuntimeEngine).

— Additional comment from Marco Rietveld on 2015-11-24 09:17:53 EST —

Maybe this is necessary?

https://github.com/droolsjbpm/kie-wb-distributions/commit/e5bfecc2#diff-8f59b4c5bda82084ad873bbc8be03756L9

— Additional comment from Maciej Swiderski on 2015-11-25 08:22:32 EST —

WAS does work as expected based on my tests - still struggling with QE tests to run reliably locally but it might be same issue with cached credentials on HttpURLConnection as described here:
https://bugzilla.redhat.com/show_bug.cgi?id=1280313#c15

there are additional fixes required for WebLogic, pull requests created:
6.3.x:
https://github.com/droolsjbpm/kie-wb-distributions/pull/151
master:
https://github.com/droolsjbpm/kie-wb-distributions/pull/152

— Additional comment from Kris Verlaenen on 2015-11-25 10:08:32 EST —

Decided to postpone this to 6.2.1, so should not be merged to 6.3.x at this point, only once we start merging 6.2.1 issues.

— Additional comment from Maciej Swiderski on 2015-12-01 13:52:19 EST —

fixed on master

kie-wb-distributions
master:
https://github.com/droolsjbpm/kie-wb-distributions/commit/e42d4733c67c3e1af7cdd8f04794a3272d94dffe

in case it should be back ported please assign it back to me

duplicates

RHBPMS-1164 REST API roles restrictions do not work on WebSphere and WebLogic

Verified

is blocked by

RHBPMS-963 SQLGrammarException when executing task query operations on various DBs

Verified

RHBPMS-1164 REST API roles restrictions do not work on WebSphere and WebLogic

Verified

Assignee:: Maciej Swiderski (Inactive)

Reporter:: Alessandro Lazarotti

Tester:: Lukáš Petrovický (Inactive)

QA Contact:: Lukáš Petrovický (Inactive)

Involved:: Alessandro Lazarotti, Kris Verlaenen, Lukáš Petrovický (Inactive), Maciej Swiderski (Inactive), Radovan Synek (Inactive), Rajesh Rajasekaran, Tomáš Livora (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2016/01/04 8:06 PM

Updated:: 2020/09/14 5:10 AM

Resolved:: 2016/01/22 1:26 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates