Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-3284

PAM Authorisation Issue - REST Endpoints accessible to all logged in users - even those without the correct roles

    XMLWordPrintable

Details

    • CR1
    • Hide

      1) 1. add new user "test" to RHPAM

      2)  ensure user "test" is assigned no roles

      ~~~~~~~~

      [abc@abc bin]$ cat /home/anijhawa/NotBackedUp/BPM/RHPAM7.8.1/jboss-eap-7.3/standalone/configuration/application-roles.properties
      test=abc

       

      ~~~~~~~

      3)  attempt to curl the PAM controller REST endpoint, using new "test" user with BASIC AUTH:

      ~~~~~

      $ curl -u 'test:test' http://localhost:8080/business-central/rest/controller/management/servers/default-kieserver/containers/
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <container-spec-list>
      ...(snip)...
      </container-spec-list>

       

      > EXPECTED RESULT: the curl should fail with a 403 or similar, indicating that it is unauthorised to access the REST endpoint

      > ACTUAL RESULT: the list of all process containers is returned - the user is authorised to access something that they should not

       

       

       

       

       

       

       

      Show
      1) 1. add new user "test" to RHPAM 2)  ensure user "test" is assigned no roles ~~~~~~~~ [abc@abc bin] $ cat /home/anijhawa/NotBackedUp/BPM/RHPAM7.8.1/jboss-eap-7.3/standalone/configuration/application-roles.properties test=abc   ~~~~~~~ 3)  attempt to curl the PAM controller REST endpoint, using new "test" user with BASIC AUTH: ~~~~~ $ curl -u 'test:test' http://localhost:8080/business-central/rest/controller/management/servers/default-kieserver/containers/ <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <container-spec-list> ...(snip)... </container-spec-list>   > EXPECTED RESULT: the curl should fail with a 403 or similar, indicating that it is unauthorised to access the REST endpoint > ACTUAL RESULT: the list of all process containers is returned - the user is authorised to access something that they should not              
    • 2020 Week 46-48 (from Nov 9), 2020 Week 49-51 (from Nov 30), 2020 Week 52-03 (from Dec 21), 2021 Week 04-06 (from Jan 25)
    • ?

    Description

       REST Endpoints accessible to all logged in users - even those without the correct roles.

       

      We can limit access to specific roles by adding a security-constraint into web.xml which will cover the endpoints you want to protect.

       <security-constraint>
       <web-resource-collection>
       <web-resource-name>REST web resources</web-resource-name>
       <url-pattern>/rest/controller/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>PUT</http-method>
       <http-method>POST</http-method>
       <http-method>DELETE</http-method>
       </web-resource-collection>
       <auth-constraint>
       <role-name>rest-all</role-name>
       <role-name>user</role-name>
       </auth-constraint>
       </security-constraint>
      

       

       

      I already share the steps in steps to Reproduce.

       

       

      Attachments

        Issue Links

          Activity

            People

              xiabai@redhat.com Xiaofeng Bai
              rhn-support-anijhawa1 Amit Nijhawan (Inactive)
              Barbora Siskova Barbora Siskova
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: