Red Hat Bugzilla – Bug 1295537
[QE](6.2.z)REST API roles restrictions do not work on WebSphere and WebLogic
Last modified: 2016-01-22 07:26:58 EST
+++ This bug was initially created as a clone of Bug #1283109 +++
Description of problem:
When you try to execute some commands through REST API with a user without any REST-specific role, you will get SUCCESS response on WebSphere and WebLogic.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set up BPMS on WebSphere or WebLogic
2. Create a user without any rest role
3. Try to execute some command with this user
No exception and SUCCESS response.
Exception should be thrown
We have it covered by these tests:
All the *AccessDenied tests pass on EAP and EWS but fail on WebSphere and WebLogic.
--- Additional comment from Tomas Livora on 2015-11-18 04:55 EST ---
See that there is for example an attempt to claim the task by a user that should not be allowed to use REST API.
--- Additional comment from Tomas Livora on 2015-11-18 05:33 EST ---
The behaviour slightly differs on WebSphere. The following exception is thrown on the client side:
org.jboss.resteasy.client.ClientResponseFailure: RESTEASY001380: Input stream was empty, there is no entity
Note that all these tests use REST directly (without RemoteRuntimeEngine).
--- Additional comment from Marco Rietveld on 2015-11-24 09:17:53 EST ---
Maybe this is necessary?
--- Additional comment from Maciej Swiderski on 2015-11-25 08:22:32 EST ---
WAS does work as expected based on my tests - still struggling with QE tests to run reliably locally but it might be same issue with cached credentials on HttpURLConnection as described here:
there are additional fixes required for WebLogic, pull requests created:
--- Additional comment from Kris Verlaenen on 2015-11-25 10:08:32 EST ---
Decided to postpone this to 6.2.1, so should not be merged to 6.3.x at this point, only once we start merging 6.2.1 issues.
--- Additional comment from Maciej Swiderski on 2015-12-01 13:52:19 EST ---
fixed on master
in case it should be back ported please assign it back to me
Cloned BZ for patch updates (branch 6.3.x)
back ported to 6.3.x
Verified with BPMS-6.2.1