Bug 1295537 - [QE](6.2.z)REST API roles restrictions do not work on WebSphere and WebLogic
[QE](6.2.z)REST API roles restrictions do not work on WebSphere and WebLogic
Product: JBoss BPMS Platform 6
Classification: JBoss
Component: Business Central (Show other bugs)
Unspecified Unspecified
urgent Severity high
: CR1
: 6.2.1
Assigned To: Maciej Swiderski
Lukáš Petrovický
Depends On: 1272981 1283109
Blocks: 1288023
  Show dependency treegraph
Reported: 2016-01-04 14:06 EST by Alessandro Lazarotti
Modified: 2018-01-30 23:45 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1283109
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Alessandro Lazarotti 2016-01-04 14:06:20 EST
+++ This bug was initially created as a clone of Bug #1283109 +++

Description of problem:
When you try to execute some commands through REST API with a user without any REST-specific role, you will get SUCCESS response on WebSphere and WebLogic.

Version-Release number of selected component (if applicable):
6.2.0 ER5

Steps to Reproduce:
1. Set up BPMS on WebSphere or WebLogic
2. Create a user without any rest role
3. Try to execute some command with this user

Actual results:
No exception and SUCCESS response. 

Expected results:
Exception should be thrown

Additional info:
We have it covered by these tests:

All the *AccessDenied tests pass on EAP and EWS but fail on WebSphere and WebLogic.

--- Additional comment from Tomas Livora on 2015-11-18 04:55 EST ---

See that there is for example an attempt to claim the task by a user that should not be allowed to use REST API.

--- Additional comment from Tomas Livora on 2015-11-18 05:33 EST ---

The behaviour slightly differs on WebSphere. The following exception is thrown on the client side:

org.jboss.resteasy.client.ClientResponseFailure: RESTEASY001380: Input stream was empty, there is no entity

Note that all these tests use REST directly (without RemoteRuntimeEngine).

--- Additional comment from Marco Rietveld on 2015-11-24 09:17:53 EST ---

Maybe this is necessary? 


--- Additional comment from Maciej Swiderski on 2015-11-25 08:22:32 EST ---

WAS does work as expected based on my tests - still struggling with QE tests to run reliably locally but it might be same issue with cached credentials on HttpURLConnection as described here:

there are additional fixes required for WebLogic, pull requests created:

--- Additional comment from Kris Verlaenen on 2015-11-25 10:08:32 EST ---

Decided to postpone this to 6.2.1, so should not be merged to 6.3.x at this point, only once we start merging 6.2.1 issues.

--- Additional comment from Maciej Swiderski on 2015-12-01 13:52:19 EST ---

fixed on master


in case it should be back ported please assign it back to me
Comment 1 Alessandro Lazarotti 2016-01-04 14:07:02 EST
Cloned BZ for patch updates (branch 6.3.x)
Comment 2 Maciej Swiderski 2016-01-07 03:06:07 EST
back ported to 6.3.x

Comment 3 Radovan Synek 2016-01-22 07:26:58 EST
Verified with BPMS-6.2.1

Note You need to log in before you can comment on or make changes to this bug.