Bug 1283109 - REST API roles restrictions do not work on WebSphere and WebLogic
REST API roles restrictions do not work on WebSphere and WebLogic
Status: VERIFIED
Product: JBoss BPMS Platform 6
Classification: JBoss
Component: Business Central (Show other bugs)
6.2.0
Unspecified Unspecified
urgent Severity high
: DR1
: 6.3.0
Assigned To: Maciej Swiderski
Tomas Livora
:
Depends On: 1272981 1314445
Blocks: 1295537
  Show dependency treegraph
 
Reported: 2015-11-18 04:52 EST by Tomas Livora
Modified: 2016-03-17 10:15 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1295537 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
WebLogic client test log (573.67 KB, text/plain)
2015-11-18 04:52 EST, Tomas Livora
no flags Details
WebLogic server test log (431.54 KB, text/plain)
2015-11-18 04:55 EST, Tomas Livora
no flags Details
WebSphere test client log (6.46 KB, text/plain)
2015-11-18 05:33 EST, Tomas Livora
no flags Details

  None (edit)
Description Tomas Livora 2015-11-18 04:52:26 EST
Created attachment 1095919 [details]
WebLogic client test log

Description of problem:
When you try to execute some commands through REST API with a user without any REST-specific role, you will get SUCCESS response on WebSphere and WebLogic.

Version-Release number of selected component (if applicable):
6.2.0 ER5

Steps to Reproduce:
1. Set up BPMS on WebSphere or WebLogic
2. Create a user without any rest role
3. Try to execute some command with this user

Actual results:
No exception and SUCCESS response. 

Expected results:
Exception should be thrown

Additional info:
We have it covered by these tests:
https://gitlab.mw.lab.eng.bos.redhat.com/bxms/brms/blob/master/test-jbpm-integration/src/test/java/org/jboss/qa/bpms/jbpm/integration/security/RestApiRoleAccessTest.java

All the *AccessDenied tests pass on EAP and EWS but fail on WebSphere and WebLogic.
Comment 1 Tomas Livora 2015-11-18 04:55 EST
Created attachment 1095920 [details]
WebLogic server test log

See that there is for example an attempt to claim the task by a user that should not be allowed to use REST API.
Comment 2 Tomas Livora 2015-11-18 05:33 EST
Created attachment 1095937 [details]
WebSphere test client log

The behaviour slightly differs on WebSphere. The following exception is thrown on the client side:

org.jboss.resteasy.client.ClientResponseFailure: RESTEASY001380: Input stream was empty, there is no entity

Note that all these tests use REST directly (without RemoteRuntimeEngine).
Comment 4 Maciej Swiderski 2015-11-25 08:22:32 EST
WAS does work as expected based on my tests - still struggling with QE tests to run reliably locally but it might be same issue with cached credentials on HttpURLConnection as described here:
https://bugzilla.redhat.com/show_bug.cgi?id=1280313#c15

there are additional fixes required for WebLogic, pull requests created:
6.3.x:
https://github.com/droolsjbpm/kie-wb-distributions/pull/151
master:
https://github.com/droolsjbpm/kie-wb-distributions/pull/152
Comment 6 Maciej Swiderski 2015-12-01 13:52:19 EST
fixed on master

kie-wb-distributions
master:
https://github.com/droolsjbpm/kie-wb-distributions/commit/e42d4733c67c3e1af7cdd8f04794a3272d94dffe

in case it should be back ported please assign it back to me
Comment 7 Tomas Livora 2016-03-17 10:15:50 EDT
Verified on BPM Suite 6.3.0 ER1

Note You need to log in before you can comment on or make changes to this bug.