Bug 1295537 - [QE](6.2.z)REST API roles restrictions do not work on WebSphere and WebLogic
[QE](6.2.z)REST API roles restrictions do not work on WebSphere and WebLogic
Status: VERIFIED
Product: JBoss BPMS Platform 6
Classification: JBoss
Component: Business Central (Show other bugs)
6.2.0
Unspecified Unspecified
urgent Severity high
: CR1
: 6.2.1
Assigned To: Maciej Swiderski
Lukáš Petrovický
:
Depends On: 1272981 1283109
Blocks: 1288023
  Show dependency treegraph
 
Reported: 2016-01-04 14:06 EST by Alessandro Lazarotti
Modified: 2016-01-22 07:26 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1283109
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alessandro Lazarotti 2016-01-04 14:06:20 EST
+++ This bug was initially created as a clone of Bug #1283109 +++

Description of problem:
When you try to execute some commands through REST API with a user without any REST-specific role, you will get SUCCESS response on WebSphere and WebLogic.

Version-Release number of selected component (if applicable):
6.2.0 ER5

Steps to Reproduce:
1. Set up BPMS on WebSphere or WebLogic
2. Create a user without any rest role
3. Try to execute some command with this user

Actual results:
No exception and SUCCESS response. 

Expected results:
Exception should be thrown

Additional info:
We have it covered by these tests:
https://gitlab.mw.lab.eng.bos.redhat.com/bxms/brms/blob/master/test-jbpm-integration/src/test/java/org/jboss/qa/bpms/jbpm/integration/security/RestApiRoleAccessTest.java

All the *AccessDenied tests pass on EAP and EWS but fail on WebSphere and WebLogic.

--- Additional comment from Tomas Livora on 2015-11-18 04:55 EST ---

See that there is for example an attempt to claim the task by a user that should not be allowed to use REST API.

--- Additional comment from Tomas Livora on 2015-11-18 05:33 EST ---

The behaviour slightly differs on WebSphere. The following exception is thrown on the client side:

org.jboss.resteasy.client.ClientResponseFailure: RESTEASY001380: Input stream was empty, there is no entity

Note that all these tests use REST directly (without RemoteRuntimeEngine).

--- Additional comment from Marco Rietveld on 2015-11-24 09:17:53 EST ---

Maybe this is necessary? 

https://github.com/droolsjbpm/kie-wb-distributions/commit/e5bfecc2#diff-8f59b4c5bda82084ad873bbc8be03756L9

--- Additional comment from Maciej Swiderski on 2015-11-25 08:22:32 EST ---

WAS does work as expected based on my tests - still struggling with QE tests to run reliably locally but it might be same issue with cached credentials on HttpURLConnection as described here:
https://bugzilla.redhat.com/show_bug.cgi?id=1280313#c15

there are additional fixes required for WebLogic, pull requests created:
6.3.x:
https://github.com/droolsjbpm/kie-wb-distributions/pull/151
master:
https://github.com/droolsjbpm/kie-wb-distributions/pull/152

--- Additional comment from Kris Verlaenen on 2015-11-25 10:08:32 EST ---

Decided to postpone this to 6.2.1, so should not be merged to 6.3.x at this point, only once we start merging 6.2.1 issues.

--- Additional comment from Maciej Swiderski on 2015-12-01 13:52:19 EST ---

fixed on master

kie-wb-distributions
master:
https://github.com/droolsjbpm/kie-wb-distributions/commit/e42d4733c67c3e1af7cdd8f04794a3272d94dffe

in case it should be back ported please assign it back to me
Comment 1 Alessandro Lazarotti 2016-01-04 14:07:02 EST
Cloned BZ for patch updates (branch 6.3.x)
Comment 2 Maciej Swiderski 2016-01-07 03:06:07 EST
back ported to 6.3.x

kie-wb-distriybutions
6.3.x:
https://github.com/droolsjbpm/kie-wb-distributions/commit/d71df9c27dd2e2a1d9b73b36c27dbcc2fd12a0fc
Comment 3 Radovan Synek 2016-01-22 07:26:58 EST
Verified with BPMS-6.2.1

Note You need to log in before you can comment on or make changes to this bug.