Non potential owner can perform task operation if org.kie.server.bypass.auth.user sets to true.

I have Tested this scenario with database authentication. Please find below steps to reproduce the issue. 1) Create a custom tables to store user data : You need to create custom table which will store the user details like password and roles/groups. Please find below sample create table query which I have used. ~~~~~~~~~~~ create table USERS (username varchar(20), password varchar(20)); create table ROLES (username varchar(20), user_role varchar(20)); ~~~~~~~~~~~ 2) Create a custom security domain : You need to create your custom security domain which will fetch the user details from the database. Please add below custom security domain in your standalone*.xml file. ~~~~~~~~~~~~ <security-domain name="testDB"> <authentication> <login-module code="Database" flag="required"> <module-option name="dsJndiName" value="java:/MySqlDS"/> <module-option name="principalsQuery" value="select password from USERS where username=?"/> <module-option name="rolesQuery" value="select user_role, 'Roles' from ROLES where username=?"/> </login-module> <login-module name="KieLoginModule" code="org.kie.security.jaas.KieLoginModule" flag="optional" module="deployment.business-central.war"/> </authentication> </security-domain> ~~~~~~~~~~~~ Once you add this security domain, then add the security domain mapping in the jboss-web.xml file in both business-central.war and kie-server.war file. You can find the jboss-web.xml file at path : /JBOSS_HOME/standalone/deployments/business-central.war/WEB-INF/jboss-web.xml and /JBOSS_HOME/standalone/deployments/kie-server.war/WEB-INF/jboss-web.xml. Please refer below example with respect to above security domain. ~~~~~~~~~~~~ <security-domain>testDB</security-domain> ~~~~~~~~~~~~ By default the value for this is "other". You need to change it to your custom security domain name. Please make sure you will keep only one security domain configuration in jboss-web.xml file. Also add the username and password for process server in standalone*.xml. This user should have the kie-server role assigned. Add below system properties in you standalone*.xml file. ~~~~~~~~~~~~ <property name="org.kie.server.controller.user" value="testUser"/> <property name="org.kie.server.controller.pwd" value="admin@123"/> ~~~~~~~~~~~~ My testUser has the admin and kie-server role already assigned. 3) Add JNDI and user fetching details for userGroupCallback : This configuration is required as we are making the custom authentication so it will help us to get the user details while task assignment. You need to add the datasource JNDI and user query in /JBOSS_HOME/standalone/deployments/kie-server.war/WEB-INF/classes/jbpm.user.info.properties. Add below properties in "jbpm.user.info.properties" file. ~~~~~~~~~~~ db.ds.jndi.name=java:/MySqlDS db.group.mem.query=select user_role, 'Roles' from ROLES where username = ? ~~~~~~~~~~~ This jndi value should be the same value which you used in custom security domain. 4) Add bypass user authentication and usergroup call back property in standalone-full.xml : ~~~~~~~~~~~ <property name="org.jbpm.ht.callback" value="DB"/> <property name="org.kie.server.bypass.auth.user " value="true"/> ~~~~~~~~~~~ Create a bpmn process with one user task which has assigned "sample" group. Add user details for testUser and testUser1 in USERS table. Add roles : testUser with admin,kie-server,rest-all and testUser1 with admin,kie-server,rest-all,sample in ROLES tables. Deploy process and execute below REST API to claim task. Test Case : ~~~~~~~~ curl -X PUT -u 'testUser1:admin@123' "http://localhost:8080/kie-server/services/rest/server/containers/project1_1.0.2-SNAPSHOT/tasks/25/states/claimed?user=testUser" -H "accept: application/json" curl -X PUT -u 'testUser1:admin@123' "http://localhost:8080/kie-server/services/rest/server/containers/project1_1.0.2-SNAPSHOT/tasks/25/states/completed?user=testUser&auto-progress=true" -H "accept: application/json" -H "content-type: application/json" ~~~~~~~~ Here testUser is not a potential owner for task1 but still can claim and complete the task as we have pass the testUser1 for authentication. As authenticated user is the potential owner for task the non potential owned passed as query parameter can perform operation on task.