Bug 1280313

Summary: Multiple client command execution through SOAP interface does not authenticate correctly
Product: [Retired] JBoss BPMS Platform 6 Reporter: Tomas Livora <tlivora>
Component: Business CentralAssignee: Shelly McGowan <smcgowan>
Status: CLOSED EOL QA Contact: Ivo Bek <ibek>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.2.0CC: etirelli, ibek, lpetrovi, rrajasek
Target Milestone: CR2Keywords: Regression
Target Release: 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-27 19:39:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Livora 2015-11-11 13:08:27 UTC 
Description of problem:
We have a test case which tries to run a process using SOAP with invalid credentials. The test passes (exception is thrown) if it is run alone. However, if other SOAP test is run before, no exception is thrown. I think this means that SOAP is using the user credentials from previous test and so it is not stateless as it should be.

Version-Release number of selected component (if applicable):
6.2.0 ER5

Steps to Reproduce:
1. Run some commands using SOAP interface with valid credentials.
2. Try to run some command using SOAP interface with invalid credentials.

Actual results:
The command is executed and no exception is thrown

Expected results:
Exception should be thrown

Additional info:
See testNotExistingUser() method here:
https://gitlab.mw.lab.eng.bos.redhat.com/bxms/brms/blob/master/test-jbpm-integration/src/test/java/org/jboss/qa/bpms/jbpm/integration/security/SOAPBasicSecurityTest.java
Comment 2 Tomas Livora 2015-11-11 16:06:42 UTC 
I have just tried it with BPMS 6.1 and exception is thrown there. However, the different one when the test is executed alone (RemoteCommunicationException) and with other SOAP tests (WebServiceException). In BPMS 6.2 there is the same exception when the test is executed alone (RemoteCommunicationException) and no exception if it is executed together with other SOAP tests.
Comment 3 Marco Rietveld 2015-11-12 02:42:55 UTC 
Tomas, 

Could you provide a test that reproduces this issue? 

I tried to reproduce the issue in several different ways but was unable to do so. 

At the moment, my suspicion is that this is not a bug, but a weird by-product of the QE tests. However, I've also been wrong about my suspicions quite often!
Comment 4 Marco Rietveld 2015-11-12 06:28:19 UTC 
Apologies Tomas, it took me a while, but all of a sudden I understood where the mistake was and what was happening. 

Please ignore the above comment.
Comment 5 Marco Rietveld 2015-11-12 07:13:23 UTC 
However, I do not believe this is a blocker. 

What I'm seeing is the following: 

1. In certain situations, it's possible to _create a client_ with incorrect/unauthorized login information. 
2. However, _requests_ with unauthorized login information are not succeeding. 

This means that the problem is only limited to the creation of clients and does not extend to unauthorized requests.

Tomas and/or Lukash, could you confirm this?
Comment 6 Ivo Bek 2015-11-12 09:21:52 UTC 
Marco, it seems that the SOAP client is working though it uses wrong credentials.

I checked the jenkins jobs and the test passes all the assertions in the code below:

RemoteController rc = new SOAPCommandController(TestConfig.getApplicationUrl(), IntegrationBase.DEPLOYMENT_ID,
                "IDontExist", "MyPassword");
        ProcessInstance pi = rc.startProcess(DEPLOYMENT_ID, SCRIPT_TASK_PROCESS_ID, null);
        Assertions.assertThat(pi).isNotNull();
        Assertions.assertThat(pi.getProcessId()).isEqualTo(SCRIPT_TASK_PROCESS_ID);
        Assertions.assertThat((long) pi.getState()).isEqualTo(ProcessInstance.STATE_COMPLETED);

And the test fails with java.lang.AssertionError: Expected exception: org.kie.remote.client.api.exception.RemoteCommunicationException

In the log I can see the process instance too.

ProcessInstance 1133 [processId=org.jboss.qa.bpms.ScriptTask,state=2]
Comment 12 Marco Rietveld 2015-11-22 16:20:19 UTC 
Created https://issues.apache.org/jira/browse/CXF-6689
Comment 13 Marco Rietveld 2015-11-23 20:20:33 UTC 
Maciej has found a likely fix: 

https://github.com/droolsjbpm/droolsjbpm-integration/pull/236/files?w=1

I've confirmed that the same class (AuthValueImpl) also exists in the IBM and Open JDK.
Comment 14 Marco Rietveld 2015-11-24 15:19:05 UTC 
PR's submitted: 

https://github.com/droolsjbpm/droolsjbpm-integration/pull/238
https://github.com/droolsjbpm/droolsjbpm-integration/pull/237
Comment 15 Marco Rietveld 2015-11-24 15:21:05 UTC 
The following code, if executed before the test, provides a workaround: 

https://github.com/mrietveld/droolsjbpm-integration/blob/pr-BZ-1280313/kie-remote/kie-remote-client/src/main/java/org/kie/remote/client/ws/KieRemoteWsAuthenticator.java#L81-L107

QE, would it be possible for you to verify this workaround on the test today? (Nov 24th)
Comment 16 Lukáš Petrovický 2015-11-24 15:24:42 UTC 
(In reply to Marco Rietveld from comment #15)
> QE, would it be possible for you to verify this workaround on the test
> today? (Nov 24th)

Unfortunately not. :-( Everybody gone already. First thing in the morning, though.
Comment 17 Tomas Livora 2015-11-25 08:05:52 UTC 
Marco, I have just tested it and our reproducer passes when I execute that method before each test. So it seems the issue is fixed by this workaround.
Comment 18 Marco Rietveld 2015-11-25 12:55:17 UTC 
Fixed. Commits: 

6.3.x: 
https://github.com/droolsjbpm/droolsjbpm-integration/commit/594fa3e1

master: 
https://github.com/droolsjbpm/droolsjbpm-integration/commit/662231c0
Comment 19 Ivo Bek 2015-12-01 12:18:27 UTC 
Verified in BPM Suite 6.2.0.CR2