Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.10.0.GA
Affects Version/s: 7.8.0.GA
Component/s: Business Central
Labels:
None

Blocked:
False
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Fix Build:
CR1
QE Test Coverage:
?
Release Note Text:
Undefined
Target Release:

7.10.0.GA
Git Pull Request:
https://github.com/kiegroup/kie-wb-distributions/pull/1074
Steps to Reproduce:

Hide

1) 1. add new user "test" to RHPAM

2)  ensure user "test" is assigned no roles

~~~~~~~~

[abc@abc bin]$ cat /home/anijhawa/NotBackedUp/BPM/RHPAM7.8.1/jboss-eap-7.3/standalone/configuration/application-roles.properties
test=abc

~~~~~~~

3)  attempt to curl the PAM controller REST endpoint, using new "test" user with BASIC AUTH:

~~~~~

$ curl -u 'test:test' http://localhost:8080/business-central/rest/controller/management/servers/default-kieserver/containers/
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<container-spec-list>
...(snip)...
</container-spec-list>

> EXPECTED RESULT: the curl should fail with a 403 or similar, indicating that it is unauthorised to access the REST endpoint

> ACTUAL RESULT: the list of all process containers is returned - the user is authorised to access something that they should not

Show
1) 1. add new user "test" to RHPAM 2)  ensure user "test" is assigned no roles ~~~~~~~~ [abc@abc bin] $ cat /home/anijhawa/NotBackedUp/BPM/RHPAM7.8.1/jboss-eap-7.3/standalone/configuration/application-roles.properties test=abc ~~~~~~~ 3)  attempt to curl the PAM controller REST endpoint, using new "test" user with BASIC AUTH: ~~~~~ $ curl -u 'test:test' http://localhost:8080/business-central/rest/controller/management/servers/default-kieserver/containers/ <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <container-spec-list> ...(snip)... </container-spec-list> > EXPECTED RESULT: the curl should fail with a 403 or similar, indicating that it is unauthorised to access the REST endpoint > ACTUAL RESULT: the list of all process containers is returned - the user is authorised to access something that they should not
[QE] How to address?:
---
[QE] Why QE missed?:
---
Market:

Sprint:
2020 Week 46-48 (from Nov 9), 2020 Week 49-51 (from Nov 30), 2020 Week 52-03 (from Dec 21), 2021 Week 04-06 (from Jan 25)

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

REST Endpoints accessible to all logged in users - even those without the correct roles.

We can limit access to specific roles by adding a security-constraint into web.xml which will cover the endpoints you want to protect.

 <security-constraint>
 <web-resource-collection>
 <web-resource-name>REST web resources</web-resource-name>
 <url-pattern>/rest/controller/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>PUT</http-method>
 <http-method>POST</http-method>
 <http-method>DELETE</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>rest-all</role-name>
 <role-name>user</role-name>
 </auth-constraint>
 </security-constraint>

I already share the steps in steps to Reproduce.

is cloned by

JBPM-9489 PAM Authorisation Issue - REST Endpoints accessible to all logged in users - even those without the correct roles

Resolved

is documented by

BXMSDOC-6835 Release notes docs for DM and PAM 7.10

Closed

Assignee:: Xiaofeng Bai

Reporter:: Amit Nijhawan (Inactive)

Tester:: Barbora Kapustova

QA Contact:: Barbora Kapustova

Votes:: 1 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2020/10/30 6:41 AM

Updated:: 2024/02/12 9:25 AM

Resolved:: 2021/01/04 9:18 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates