Bug 1295537 - [QE](6.2.z)REST API roles restrictions do not work on WebSphere and WebLogic
Summary: [QE](6.2.z)REST API roles restrictions do not work on WebSphere and WebLogic
Keywords:
Status: CLOSED EOL
Alias: None
Product: JBoss BPMS Platform 6
Classification: Retired
Component: Business Central
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: CR1
: 6.2.1
Assignee: Marco Rietveld
QA Contact: Lukáš Petrovický
URL:
Whiteboard:
Depends On: 1272981 1283109
Blocks: 1288023
TreeView+ depends on / blocked
 
Reported: 2016-01-04 19:06 UTC by Alessandro Lazarotti
Modified: 2020-03-27 20:02 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1283109
Environment:
Last Closed: 2020-03-27 20:02:39 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Alessandro Lazarotti 2016-01-04 19:06:20 UTC 
+++ This bug was initially created as a clone of Bug #1283109 +++

Description of problem:
When you try to execute some commands through REST API with a user without any REST-specific role, you will get SUCCESS response on WebSphere and WebLogic.

Version-Release number of selected component (if applicable):
6.2.0 ER5

Steps to Reproduce:
1. Set up BPMS on WebSphere or WebLogic
2. Create a user without any rest role
3. Try to execute some command with this user

Actual results:
No exception and SUCCESS response. 

Expected results:
Exception should be thrown

Additional info:
We have it covered by these tests:
https://gitlab.mw.lab.eng.bos.redhat.com/bxms/brms/blob/master/test-jbpm-integration/src/test/java/org/jboss/qa/bpms/jbpm/integration/security/RestApiRoleAccessTest.java

All the *AccessDenied tests pass on EAP and EWS but fail on WebSphere and WebLogic.

--- Additional comment from Tomas Livora on 2015-11-18 04:55 EST ---

See that there is for example an attempt to claim the task by a user that should not be allowed to use REST API.

--- Additional comment from Tomas Livora on 2015-11-18 05:33 EST ---

The behaviour slightly differs on WebSphere. The following exception is thrown on the client side:

org.jboss.resteasy.client.ClientResponseFailure: RESTEASY001380: Input stream was empty, there is no entity

Note that all these tests use REST directly (without RemoteRuntimeEngine).

--- Additional comment from Marco Rietveld on 2015-11-24 09:17:53 EST ---

Maybe this is necessary? 

https://github.com/droolsjbpm/kie-wb-distributions/commit/e5bfecc2#diff-8f59b4c5bda82084ad873bbc8be03756L9

--- Additional comment from Maciej Swiderski on 2015-11-25 08:22:32 EST ---

WAS does work as expected based on my tests - still struggling with QE tests to run reliably locally but it might be same issue with cached credentials on HttpURLConnection as described here:
https://bugzilla.redhat.com/show_bug.cgi?id=1280313#c15

there are additional fixes required for WebLogic, pull requests created:
6.3.x:
https://github.com/droolsjbpm/kie-wb-distributions/pull/151
master:
https://github.com/droolsjbpm/kie-wb-distributions/pull/152

--- Additional comment from Kris Verlaenen on 2015-11-25 10:08:32 EST ---

Decided to postpone this to 6.2.1, so should not be merged to 6.3.x at this point, only once we start merging 6.2.1 issues.

--- Additional comment from Maciej Swiderski on 2015-12-01 13:52:19 EST ---

fixed on master

kie-wb-distributions
master:
https://github.com/droolsjbpm/kie-wb-distributions/commit/e42d4733c67c3e1af7cdd8f04794a3272d94dffe

in case it should be back ported please assign it back to me
Comment 1 Alessandro Lazarotti 2016-01-04 19:07:02 UTC 
Cloned BZ for patch updates (branch 6.3.x)
Comment 2 Maciej Swiderski 2016-01-07 08:06:07 UTC 
back ported to 6.3.x

kie-wb-distriybutions
6.3.x:
https://github.com/droolsjbpm/kie-wb-distributions/commit/d71df9c27dd2e2a1d9b73b36c27dbcc2fd12a0fc
Comment 3 Radovan Synek 2016-01-22 12:26:58 UTC 
Verified with BPMS-6.2.1
Note You need to log in before you can comment on or make changes to this bug.