Created attachment 1095919 [details] WebLogic client test log Description of problem: When you try to execute some commands through REST API with a user without any REST-specific role, you will get SUCCESS response on WebSphere and WebLogic. Version-Release number of selected component (if applicable): 6.2.0 ER5 Steps to Reproduce: 1. Set up BPMS on WebSphere or WebLogic 2. Create a user without any rest role 3. Try to execute some command with this user Actual results: No exception and SUCCESS response. Expected results: Exception should be thrown Additional info: We have it covered by these tests: https://gitlab.mw.lab.eng.bos.redhat.com/bxms/brms/blob/master/test-jbpm-integration/src/test/java/org/jboss/qa/bpms/jbpm/integration/security/RestApiRoleAccessTest.java All the *AccessDenied tests pass on EAP and EWS but fail on WebSphere and WebLogic.
Created attachment 1095920 [details] WebLogic server test log See that there is for example an attempt to claim the task by a user that should not be allowed to use REST API.
Created attachment 1095937 [details] WebSphere test client log The behaviour slightly differs on WebSphere. The following exception is thrown on the client side: org.jboss.resteasy.client.ClientResponseFailure: RESTEASY001380: Input stream was empty, there is no entity Note that all these tests use REST directly (without RemoteRuntimeEngine).
Maybe this is necessary? https://github.com/droolsjbpm/kie-wb-distributions/commit/e5bfecc2#diff-8f59b4c5bda82084ad873bbc8be03756L9
WAS does work as expected based on my tests - still struggling with QE tests to run reliably locally but it might be same issue with cached credentials on HttpURLConnection as described here: https://bugzilla.redhat.com/show_bug.cgi?id=1280313#c15 there are additional fixes required for WebLogic, pull requests created: 6.3.x: https://github.com/droolsjbpm/kie-wb-distributions/pull/151 master: https://github.com/droolsjbpm/kie-wb-distributions/pull/152
fixed on master kie-wb-distributions master: https://github.com/droolsjbpm/kie-wb-distributions/commit/e42d4733c67c3e1af7cdd8f04794a3272d94dffe in case it should be back ported please assign it back to me
Verified on BPM Suite 6.3.0 ER1