1283109 – REST API roles restrictions do not work on WebSphere and WebLogic

Bug 1283109 - REST API roles restrictions do not work on WebSphere and WebLogic

Summary: REST API roles restrictions do not work on WebSphere and WebLogic

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	JBoss BPMS Platform 6
Classification:	Retired
Component:	Business Central
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	DR1
Target Release:	6.3.0
Assignee:	Marco Rietveld
QA Contact:	Lukáš Petrovický
Docs Contact:
URL:
Whiteboard:
Depends On:	1272981 1314445
Blocks:	1295537
TreeView+	depends on / blocked

Reported:	2015-11-18 09:52 UTC by Tomas Livora
Modified:	2020-03-27 20:04 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1295537 (view as bug list)
Environment:
Last Closed:	2020-03-27 20:04:26 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
WebLogic client test log (573.67 KB, text/plain) 2015-11-18 09:52 UTC, Tomas Livora	no flags	Details
WebLogic server test log (431.54 KB, text/plain) 2015-11-18 09:55 UTC, Tomas Livora	no flags	Details
WebSphere test client log (6.46 KB, text/plain) 2015-11-18 10:33 UTC, Tomas Livora	no flags	Details
View All

Description Tomas Livora 2015-11-18 09:52:26 UTC

Created attachment 1095919 [details]
WebLogic client test log

Description of problem:
When you try to execute some commands through REST API with a user without any REST-specific role, you will get SUCCESS response on WebSphere and WebLogic.

Version-Release number of selected component (if applicable):
6.2.0 ER5

Steps to Reproduce:
1. Set up BPMS on WebSphere or WebLogic
2. Create a user without any rest role
3. Try to execute some command with this user

Actual results:
No exception and SUCCESS response. 

Expected results:
Exception should be thrown

Additional info:
We have it covered by these tests:
https://gitlab.mw.lab.eng.bos.redhat.com/bxms/brms/blob/master/test-jbpm-integration/src/test/java/org/jboss/qa/bpms/jbpm/integration/security/RestApiRoleAccessTest.java

All the *AccessDenied tests pass on EAP and EWS but fail on WebSphere and WebLogic.

Comment 1 Tomas Livora 2015-11-18 09:55:16 UTC

Created attachment 1095920 [details]
WebLogic server test log

See that there is for example an attempt to claim the task by a user that should not be allowed to use REST API.

Comment 2 Tomas Livora 2015-11-18 10:33:48 UTC

Created attachment 1095937 [details]
WebSphere test client log

The behaviour slightly differs on WebSphere. The following exception is thrown on the client side:

org.jboss.resteasy.client.ClientResponseFailure: RESTEASY001380: Input stream was empty, there is no entity

Note that all these tests use REST directly (without RemoteRuntimeEngine).

Comment 3 Marco Rietveld 2015-11-24 14:17:53 UTC

Maybe this is necessary? 

https://github.com/droolsjbpm/kie-wb-distributions/commit/e5bfecc2#diff-8f59b4c5bda82084ad873bbc8be03756L9

Comment 4 Maciej Swiderski 2015-11-25 13:22:32 UTC

WAS does work as expected based on my tests - still struggling with QE tests to run reliably locally but it might be same issue with cached credentials on HttpURLConnection as described here:
https://bugzilla.redhat.com/show_bug.cgi?id=1280313#c15

there are additional fixes required for WebLogic, pull requests created:
6.3.x:
https://github.com/droolsjbpm/kie-wb-distributions/pull/151
master:
https://github.com/droolsjbpm/kie-wb-distributions/pull/152

Comment 6 Maciej Swiderski 2015-12-01 18:52:19 UTC

fixed on master

kie-wb-distributions
master:
https://github.com/droolsjbpm/kie-wb-distributions/commit/e42d4733c67c3e1af7cdd8f04794a3272d94dffe

in case it should be back ported please assign it back to me

Comment 7 Tomas Livora 2016-03-17 14:15:50 UTC

Verified on BPM Suite 6.3.0 ER1

Note You need to log in before you can comment on or make changes to this bug.