Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-3284

PAM Authorisation Issue - REST Endpoints accessible to all logged in users - even those without the correct roles

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.8.0.GA
    • Fix Version/s: None
    • Component/s: Business Central
    • Labels:
      None
    • Target Release:
    • Steps to Reproduce:
      Hide

      1) 1. add new user "test" to RHPAM

      2)  ensure user "test" is assigned no roles

      ~~~~~~~~

      [abc@abc bin]$ cat /home/anijhawa/NotBackedUp/BPM/RHPAM7.8.1/jboss-eap-7.3/standalone/configuration/application-roles.properties
      test=abc

       

      ~~~~~~~

      3)  attempt to curl the PAM controller REST endpoint, using new "test" user with BASIC AUTH:

      ~~~~~

      $ curl -u 'test:test' http://localhost:8080/business-central/rest/controller/management/servers/default-kieserver/containers/
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <container-spec-list>
      ...(snip)...
      </container-spec-list>

       

      > EXPECTED RESULT: the curl should fail with a 403 or similar, indicating that it is unauthorised to access the REST endpoint

      > ACTUAL RESULT: the list of all process containers is returned - the user is authorised to access something that they should not

       

       

       

       

       

       

       

      Show
      1) 1. add new user "test" to RHPAM 2)  ensure user "test" is assigned no roles ~~~~~~~~ [abc@abc bin] $ cat /home/anijhawa/NotBackedUp/BPM/RHPAM7.8.1/jboss-eap-7.3/standalone/configuration/application-roles.properties test=abc   ~~~~~~~ 3)  attempt to curl the PAM controller REST endpoint, using new "test" user with BASIC AUTH: ~~~~~ $ curl -u 'test:test' http://localhost:8080/business-central/rest/controller/management/servers/default-kieserver/containers/ <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <container-spec-list> ...(snip)... </container-spec-list>   > EXPECTED RESULT: the curl should fail with a 403 or similar, indicating that it is unauthorised to access the REST endpoint > ACTUAL RESULT: the list of all process containers is returned - the user is authorised to access something that they should not              
    • Sprint:
      2020 Week 46-48 (from Nov 9), 2020 Week 49-51 (from Nov 30)

      Description

       REST Endpoints accessible to all logged in users - even those without the correct roles.

       

      We can limit access to specific roles by adding a security-constraint into web.xml which will cover the endpoints you want to protect.

       <security-constraint>
       <web-resource-collection>
       <web-resource-name>REST web resources</web-resource-name>
       <url-pattern>/rest/controller/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>PUT</http-method>
       <http-method>POST</http-method>
       <http-method>DELETE</http-method>
       </web-resource-collection>
       <auth-constraint>
       <role-name>rest-all</role-name>
       <role-name>user</role-name>
       </auth-constraint>
       </security-constraint>
      

       

       

      I already share the steps in steps to Reproduce.

       

       

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  cory.bai Xiaofeng Bai
                  Reporter:
                  anijhawa Amit Nijhawan
                  Tester:
                  Barbora Siskova
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated: