Red Hat Bugzilla – Bug 1283109
REST API roles restrictions do not work on WebSphere and WebLogic
Last modified: 2018-01-30 23:42:43 EST
Created attachment 1095919 [details]
WebLogic client test log
Description of problem:
When you try to execute some commands through REST API with a user without any REST-specific role, you will get SUCCESS response on WebSphere and WebLogic.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set up BPMS on WebSphere or WebLogic
2. Create a user without any rest role
3. Try to execute some command with this user
No exception and SUCCESS response.
Exception should be thrown
We have it covered by these tests:
All the *AccessDenied tests pass on EAP and EWS but fail on WebSphere and WebLogic.
Created attachment 1095920 [details]
WebLogic server test log
See that there is for example an attempt to claim the task by a user that should not be allowed to use REST API.
Created attachment 1095937 [details]
WebSphere test client log
The behaviour slightly differs on WebSphere. The following exception is thrown on the client side:
org.jboss.resteasy.client.ClientResponseFailure: RESTEASY001380: Input stream was empty, there is no entity
Note that all these tests use REST directly (without RemoteRuntimeEngine).
Maybe this is necessary?
WAS does work as expected based on my tests - still struggling with QE tests to run reliably locally but it might be same issue with cached credentials on HttpURLConnection as described here:
there are additional fixes required for WebLogic, pull requests created:
fixed on master
in case it should be back ported please assign it back to me
Verified on BPM Suite 6.3.0 ER1