Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-4136

Incorrect groups are returned when "org.kie.server.bypass.auth.user" is set and JAASUserGroupCallbackImpl is used

XMLWordPrintable

    • False
    • False
    • Release Notes
    • CR1
    • +
    • Hide
      • Enable `org.kie.server.bypass.auth.user`
      • Assign a groupId to a task
      • Try to fetch a particular task by calling potOwner, passing a userId which belongs to the groupId.

      Make sure the user authenticated is different than the userId pass in the call to kie-server and it does not belong to the groupId assigned to the task.

      An integration test can be found here, though make sure, the UserGroupCallback implementation used is `JAASUserGroupCallbackImpl`

      Show
      Enable `org.kie.server.bypass.auth.user` Assign a groupId to a task Try to fetch a particular task by calling potOwner, passing a userId which belongs to the groupId. Make sure the user authenticated is different than the userId pass in the call to kie-server and it does not belong to the groupId assigned to the task. An integration test can be found here , though make sure, the UserGroupCallback implementation used is `JAASUserGroupCallbackImpl`
    • 2022 Week 11-13 (from Mar 14), 2022 Week 14-16 (from Apr 4)

      Incorrect groups for a particular user passed as parameter are returned from `getGroupsForUser` method in `JAASUserGroupCallbackImpl` implementation class [1].

      This is causing issues when we have bypass property `org.kie.server.bypass.auth.user` enabled and try to fetch tasks assigned to a particular user/group (getTasksAsPotentialOwner, getTasksAssignedAsBusinessAdministrator, getCaseTasksAssignedAsStakeholder, etc.) as we will be getting only the groups belonging to the authenticated user instead to the parameter userId passed as parameter.

      For instance, when bypass is enabled and we try to fetch the tasks assigned as potential owner for a task assigned to a group, with JAASUserGroupCallbackImpl:

      • It will retrieve the groupIds belonging to a user by calling `getCallbackUserRoles` method[2] 
      • `getCallbackUserRoles` method, will invoke `getGroupsForUser` method from the `JAASUserGroupCallbackImpl` impl class[3].
      • The groups fetched are from the authenticated users and not from the userId passed as argument.

      [1] https://github.com/kiegroup/jbpm/blob/main/jbpm-human-task/jbpm-human-task-core/src/main/java/org/jbpm/services/task/identity/JAASUserGroupCallbackImpl.java#L111

      [2] https://github.com/kiegroup/jbpm/blob/main/jbpm-case-mgmt/jbpm-case-mgmt-impl/src/main/java/org/jbpm/casemgmt/impl/CaseRuntimeDataServiceImpl.java#L641

      [3] https://github.com/kiegroup/jbpm/blob/main/jbpm-human-task/jbpm-human-task-core/src/main/java/org/jbpm/services/task/identity/JAASUserGroupCallbackImpl.java#L111

              rhn-support-egonzale Enrique Gonzalez Martinez (Inactive)
              antferna Antonio Fernandez Alhambra (Inactive)
              Antonio Fernandez Alhambra Antonio Fernandez Alhambra (Inactive)
              Antonio Fernandez Alhambra Antonio Fernandez Alhambra (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: