Bug 1310510

Summary: 6.2.0: Remote java API: cannot get tasks assigned to different users
Product: [Retired] JBoss BPMS Platform 6 Reporter: Hiroko Miura <hmiura>
Component: Business CentralAssignee: Shelly McGowan <smcgowan>
Status: CLOSED EOL QA Contact: Lukáš Petrovický <lpetrovi>
Severity: high Docs Contact:
Priority: high    
Version: 6.2.0CC: abhumbe, alazarot, g.nieser, kverlaen
Target Milestone: ER2   
Target Release: 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1325944 (view as bug list) Environment:
Last Closed: 2020-03-27 19:38:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1325944, 1325945    

Description Hiroko Miura 2016-02-22 05:05:09 UTC
Description of problem:

Customer wants to use different users for Task operation and for REST authentication. But its not working with BPMS 6.2 release, it fails with below exception:

org.kie.remote.client.api.exception.RemoteApiException: The user id used
when retrieving task information (user1) must match the authenticating
user (user2)!

This was reported as bZ#1265568 but was closed as a "NOT a BUG".
 
However,several customer needs to get this use case to work.
In fact, the following system property is prepared to bypass this restriction 

-Dorg.kie.task.insecure=true

but it does not work yet as expected. 

Version-Release number of selected component (if applicable):
6.2.0



Steps to Reproduce:
1. Use one user credentials when using remote APIs
2. Try to get tasks for another users.


Actual results:
org.kie.remote.client.api.exception.RemoteApiException: The user id used when retrieving task information (user1) must match the authenticating user (user2)!

Expected results:
It should be possible somehow bypass this check to allow testing processes with tasks assigned to different users.


Additional info:

Comment 5 Marco Rietveld 2016-03-15 12:56:49 UTC
PR Submitted: https://github.com/droolsjbpm/droolsjbpm-integration/pull/356

By either setting the system property "org.kie.task.insecure" on the *client* side or otherwise using the "disableTaskSecurity()" method in the fluent RemoteRestRuntimeEngineBuilder, the user can now retrieve tasks that the user would not normally be able to see.

Comment 7 Marco Rietveld 2016-03-23 11:23:02 UTC
Fixed. Commits: 

6.4.x: 
https://github.com/droolsjbpm/droolsjbpm-integration/commit/429e4c28

Comment 8 Tomas Livora 2016-03-31 09:06:09 UTC
Verified on BPM Suite 6.3.0 ER2

https://gitlab.mw.lab.eng.bos.redhat.com/bxms/brms/commit/55f46bdee3b94b88ba5b19ccf885335a4572bf33

However, I think it was not the best idea to name newly added method disableTaskSecurity() because a method with the same name but different purpose exists in RemoteJmsRuntimeEngineBuilder and so it may cause some confusion.