Bug 994905

Summary: A task operation is performed via REST API under anonymous user even though the user has set credentials
Product: [Retired] JBoss BPMS Platform 6 Reporter: Ivo Bek <ibek>
Component: Business CentralAssignee: Marco Rietveld <mrietvel>
Status: CLOSED CURRENTRELEASE QA Contact: Ivo Bek <ibek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0.0CC: ibek, kverlaen, mbaluch, rrajasek, smcgowan
Target Milestone: ER4Keywords: Reopened
Target Release: 6.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-06 20:09:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ivo Bek 2013-08-08 08:44:28 UTC 
Description of problem:

It's not possible to perform any task operation because the user is supposed to be an anonymous, so he doesn't have any permissions to do the operation. It shouldn't be even possible to do an operation without being logged since the REST API is fully secured.
I just create the ClientRequestFactory with UserNamePasswordCreadentials and then do the rest/task/taskid/start operation.
It seems that the IdentityProvider doesn't return logged user. https://github.com/droolsjbpm/droolsjbpm-integration/blob/master/kie-remote/kie-services-remote/src/main/java/org/kie/services/remote/rest/TaskResource.java

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Marco Rietveld 2013-08-10 11:56:32 UTC 
Ivo, Could you provide some more information? The bug description is unclear to me. 

I can imagine that it seems more than obvious to you what the problem is, but unfortunately I end up working on lots of different things during a week so that it takes me longer to get up to speed on exactly what the problem is. :) 

If you could fill in the questions posed by bugzilla (steps to reproducde, actual results, etc.), that would be great! 

Thanks!!
Comment 2 Ivo Bek 2013-08-12 07:37:41 UTC 
Hi Marco,

after a further investigation I noticed that the issue (task is not started via REST API) only happen when I use REST-Easy client this way:

DefaultHttpClient httpClient = new DefaultHttpClient();
        httpClient.getCredentialsProvider().setCredentials(new AuthScope(AuthScope.ANY_HOST,
                AuthScope.ANY_PORT, AuthScope.ANY_REALM), new UsernamePasswordCredentials(userId, password));
        ClientExecutor clientExecutor = new ApacheHttpClient4Executor(httpClient);
        return new ClientRequestFactory(clientExecutor, ResteasyProviderFactory.getInstance());

I also tried REST client integrated in browser where the task execution works.

Did you see the email with subject "Task operation identity issue" I sent you Aug 08? There are more details and links to our test suite.

Steps to Reproduce:
1. Start a process with human task
2. Start the task via REST API programmatically
3. See PermissionDeniedException in the server log containing "User '[UserImpl:'Anonymous']' does not have permissions to execution operation 'Start' on task id 1"
Comment 3 Ivo Bek 2013-09-10 06:59:58 UTC 
Seems it could be a similar problem as it is here BZ 986208, describing the last comments.
Comment 4 Marco Rietveld 2013-09-16 15:43:53 UTC 
It's no longer possible to authenticate against the server in the way described above. 

I've verified this with the following code (that connects to a running BPMS server with the Evaluation example deployed and with a user "mary" added to the server: 

https://github.com/droolsjbpm/droolsjbpm-integration/blob/6.0.x/kie-remote/kie-services-client/src/test/java/org/kie/services/client/api/LiveServerTest.java

See the anonymousTaskInitiatorTest() test method in the above class. 

Verified with this commit: 

https://github.com/droolsjbpm/droolsjbpm-integration/commit/900fa45bb1f37f6d7a5b3e5dc7c1689ed3169c96
Comment 5 Marco Rietveld 2013-09-16 15:44:50 UTC 
Ivo, 

Would it be okay to mark this bug as CLOSED/WORKSFORME? (or maybe CLOSED/NOTABUG?).
Comment 8 Marco Rietveld 2013-09-17 10:52:46 UTC 
I think that these commits are largely responsible for the change/fix: 

https://github.com/droolsjbpm/uberfire/commit/5540d97
https://github.com/droolsjbpm/kie-wb-distributions/commit/5878cb7c24cdfed965609cbce727cd02f282977c

These changes allowed us to use BASIC authentication with the normal web.xml (formerly, we had to use FORM authentication when the UI was active, now we can use FORM for the UI while simultaneously using BASIC for the rest services.)
Comment 9 Marco Rietveld 2013-09-17 10:56:37 UTC 
Oops, wrong BZ. :(
Comment 10 Ivo Bek 2013-09-18 07:55:52 UTC 
Hi Marco,
 I think it would be better to change it to modified status and then on_qa because I'd like to verify it against BPMS 6.0.0.er4. In BPMS 6.0.0.er3 it still doesn't work.
org.jboss.resteasy.spi.UnauthorizedException: User '[UserImpl:'Anonymous']' does not have permissions to execution operation 'Start' on task id 18
Comment 11 Kris Verlaenen 2013-09-20 11:00:00 UTC 
Setting to modified as suggested.
Comment 15 Ivo Bek 2013-10-15 11:17:12 UTC 
Verified in BPMS 6.0.0.ER4