Bug 986208
| Summary: | Allow using different authentication methods for KIE Workbench (FORM) and for REST API (BASIC) | ||
|---|---|---|---|
| Product: | [Retired] JBoss BPMS Platform 6 | Reporter: | Jiri Locker <jlocker> |
| Component: | Business Central | Assignee: | Mark Proctor <mproctor> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Jiri Locker <jlocker> |
| Severity: | high | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 6.0.0 | CC: | ibek, jsvitak, rrajasek, rzhang |
| Target Milestone: | ER4 | Keywords: | TestBlocker |
| Target Release: | 6.0.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-08-06 20:11:31 UTC | Type: | Enhancement |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jiri Locker
2013-07-19 08:48:41 UTC
Most REST APIs wont support browser at all. For example, most Guvnor REST APIs return json, this requires the client set the accept header properly to application/json. It is not possible to set header through browser. I would recommend using curl as the debugging tool. Thanks for the tip. curl will be helpful for further testing. We can work around the REST authentication by removing this element from web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>rest</web-resource-name>
<url-pattern>/rest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>kie-user</role-name>
</auth-constraint>
</security-constraint>
However the requirement to use BASIC method for REST API authentication persists.
Basic Authentication is supported now. http://github.com/droolsjbpm/drools-wb/commit/111fed534 There is still one thing missing from the previous fix: we need to return 401 unauthorized if the authentication fails. Our current code returns 200 with a login page as the response body. In case the Authorization header is missing in the request, NPE [1] is thrown on the server and it returns HTML report with the exception. 401 unauthorized should be returned in this case as well as when wrong credentials are provided, right?
[1] servlet javax.ws.rs.core.Application threw exception: java.lang.NullPointerException
at org.uberfire.security.server.auth.JACCAuthenticationScheme.buildCredential(JACCAuthenticationScheme.java:23) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1]
at org.uberfire.security.server.auth.HttpAuthenticationManager.authenticate(HttpAuthenticationManager.java:116) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1]
at org.uberfire.security.server.HttpSecurityManagerImpl.authenticate(HttpSecurityManagerImpl.java:214) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1]
at org.uberfire.security.server.UberFireSecurityFilter.authenticate(UberFireSecurityFilter.java:304) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1]
at org.uberfire.security.server.UberFireSecurityFilter.doFilter(UberFireSecurityFilter.java:249) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1]
*** Bug 1002720 has been marked as a duplicate of this bug. *** Seems it could be a similar problem as it is here BZ 994905. Fixed. https://github.com/droolsjbpm/uberfire/commit/1055d3cc8 The server now returns 401 if the Authorization header is not provided. Fix verified in ER4. Business central uses FORM authentication and REST API uses BASIC. Accessing /rest/* without Authorization header returns 401 and doesn't cause server-side exception. Note: the 401 response is still not recognized as authentication request by user agents (Web browser, REST clients), which I think may be due to missing WWW-Authenticate response header. This is a suggestion for future improvement. |