Bug 823318

Summary: jBPM console cannot initialize session when drools packages are signed
Product: [JBoss] JBoss Enterprise BRMS Platform 5 Reporter: Jiri Locker <jlocker>
Component: jBPM ConsoleAssignee: Maciej Swiderski <mswiders>
Status: CLOSED NOTABUG QA Contact: Lukáš Petrovický <lpetrovi>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: BRMS 5.3.0.GACC: atangrin, mswiders
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-22 17:41:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
server.log none

Description Jiri Locker 2012-05-20 21:50:40 UTC 
Created attachment 585680 [details]
server.log

Description of problem:
jBPM console is not prepared to handle drools packages that are signed. When signing of serialized rules packages is enabled in Guvnor, jBPM console fails to initialize the knowledge session.

Version-Release number of selected component (if applicable):
ER7

How reproducible:
always

Steps to Reproduce:
1. set up package signing in Guvnor http://docs.redhat.com/docs/en-US/JBoss_Enterprise_BRMS_Platform/5/html/BRMS_Administrator_Guide/chap-security.html#BRMS_AdminGuide-signing_config
2. create/import a package with some processes and build it
3. log in to http://localhost:8080/business-central/
  
Actual results:
The knowledge session fails to initialize, exception is thrown. jBPM console doesn't allow to provide package signing properties for the KnowledgeAgent that pulls packages from Guvnor.

Expected results:
It should be possible to pass signing properties
> drools.serialization.sign
> drools.serialization.public.keyStoreURL
> drools.serialization.public.keyStorePwd
to the console so that KA can deserialize signed packages and the session can be initialized.

Additional info:
The root exception message:

org.drools.RuntimeDroolsException: This environment is configured to work with signed serialized objects, but the given object is unsigned. Deserialization aborted.

says the contrary of how I described the issue. It sounds like jbpm console expected signed package, which was not. But I think it doesn't make sense that way. Please correct me if I misunderstood the issue.
Comment 1 Maciej Swiderski 2012-05-21 09:08:54 UTC 
I beleive this is not related to loading packages from guvnor but loading session from data base. What is happening is that session was persisted without signature before and after security was enhanced (sign serialization was enabled)session cannot be loaded as it was stored not signed, thus we see this error message.

Could you please confirm/refute above?

I will work on setting up the environment as described.
Comment 2 Maciej Swiderski 2012-05-21 10:37:16 UTC 
After setting up environment with security enabled I confirm that it will fail if console will try to load session that was created (and persisted) with security disabled. Due to that there is a need to enforce console to create new session instead of loading one after turning security on. This can be done by deleteing jbpmSessionId.ser file that is located in {jboss.server.temp.dir}

After this has been done, console is capable to read signed packages from guvnor and load the signed session.
Comment 3 Jiri Locker 2012-05-22 17:41:29 UTC 
I didn't mention the method I used to set serialization properties. I only placed them into jboss-brms.war/WEB-INF/classes/preferences.properties. Therefore I expected that only Guvnor would know signing is enabled. I didn't know that org.drools.guvnor.server.configurations.ApplicationPreferencesInitializer is used to set these preferences as System properties and so the environment was really configured to work with signed objects when the session was loaded by jbpm console.

Now I understand this issue is not a bug and only occurs when the console loads the session and signing preference was changed before the session was created.