Uploaded image for project: 'JBoss BPMS Platform'
  1. JBoss BPMS Platform
  2. RHBPMS-397

[GSS](6.3.z) Restrict insecure Remote task operations (not only limited to GetTask* commands)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 6.3.3
    • 6.2.0
    • Business Central
    • None

      Update

      Going by the stack trace shown in Gary's comment below, the issue is not related to task retrieval via group ids.

      The stack trace below shows that the `ClaimTaskCommand` does not succeed because the user id does not have the rights to do that.
      Based on other information in the bug, it seems that the client is trying to claim a task using another user ("A") than the REST client user ("B"), but that the REST client prevents this.

      The fix here is to change the security check on both the client and server side so that the operations can be submitted using a different user id than the user id used by the REST client to log in to the Workbench.

      Original bug

      +++ This bug was initially created as a clone of Bug #1330200 +++

      Description of problem:

      I am trying to with below API's to list the HumanTask assigned to group through Remote REST API's but it fails with exception:

      ~~~
      Unable to execute GetTaskAssignedAsPotentialOwnerCommand/0: org.kie.remote.services.rest.exception.KieRemoteRestOperationException: Organizational entity already exists with [UserImpl:'HR'] id, please check that there is no group and user with same id
      ~~~

      Code:
      =====================
      RuntimeEngine engine = RemoteRuntimeEngineFactory.newRestBuilder()
      .addUrl(url).addUserName(userName).addPassword(passWord)
      .addDeploymentId(deploymentId).build();

      KieSession ksession = engine.getKieSession();
      TaskService taskService = engine.getTaskService();

      ProcessInstance processInstance = ksession.startProcess("project1.TestProcess");
      tasklist = taskService.getTasksAssignedAsPotentialOwner("HR","en-UK");

      =====================

      Version-Release number of selected component (if applicable):
      BPMS 6.2.2

      How reproducible:

      Steps to Reproduce:
      1. Start server(BPMS 6.2.2) with -Dorg.kie.task.insecure=true and deploy attached kajr.
      2. Apply one-off patch attached to BZ-1325945 and use -Dorg.kie.task.insecure=true option in client side and server side.
      3. Try to list task using Remote REST API

      Actual results:
      Not able to list User Task assigned to group through Remote REST API

      Expected results:
      User should be able to list task assigned to group through Remote REST API

      Additional info:

      — Additional comment from JBoss Product and Program Management on 2016-04-25 11:30:08 EDT —

      Since this issue was entered in Red Hat Bugzilla, the release flag has been
      set to ? to ensure that it is properly evaluated for this release.

      — Additional comment from William Antônio on 2016-04-28 00:09 EDT —

      An workaround for this bug.

      — Additional comment from William Antônio on 2016-04-28 00:10:08 EDT —

      I made a few tests and I found that this is indeed a bug, but not a bug with the client side patch, but with the task.insecure parameter implementation and with the core of the remote rest client API itself. The client patch only exposed this bug by allowing us to send requests to retrieve potential owners for a group, before it it was not allowed.

      The good news is that I have a work around! The client java API will always send a command to the server, the command used to get tasks by owner is the GetTaskAssignedAsPotentialOwnerCommand. The issue is that it uses the user id to set the potential owner when we should be using the target entity id. So the following should work to retrieve the tasks for a group (see the attached test class)

              swiderski.maciej Maciej Swiderski (Inactive)
              rhn-support-wsiqueir William Siqueira
              Tomáš Livora Tomáš Livora (Inactive)
              Tomáš Livora Tomáš Livora (Inactive)
              Abhijit Humbe, Lukáš Petrovický (Inactive), Marco Rietveld (Inactive), William Siqueira
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: