+++ This bug was initially created as a clone of Bug #1283109 +++ Description of problem: When you try to execute some commands through REST API with a user without any REST-specific role, you will get SUCCESS response on WebSphere and WebLogic. Version-Release number of selected component (if applicable): 6.2.0 ER5 Steps to Reproduce: 1. Set up BPMS on WebSphere or WebLogic 2. Create a user without any rest role 3. Try to execute some command with this user Actual results: No exception and SUCCESS response. Expected results: Exception should be thrown Additional info: We have it covered by these tests: https://gitlab.mw.lab.eng.bos.redhat.com/bxms/brms/blob/master/test-jbpm-integration/src/test/java/org/jboss/qa/bpms/jbpm/integration/security/RestApiRoleAccessTest.java All the *AccessDenied tests pass on EAP and EWS but fail on WebSphere and WebLogic. --- Additional comment from Tomas Livora on 2015-11-18 04:55 EST --- See that there is for example an attempt to claim the task by a user that should not be allowed to use REST API. --- Additional comment from Tomas Livora on 2015-11-18 05:33 EST --- The behaviour slightly differs on WebSphere. The following exception is thrown on the client side: org.jboss.resteasy.client.ClientResponseFailure: RESTEASY001380: Input stream was empty, there is no entity Note that all these tests use REST directly (without RemoteRuntimeEngine). --- Additional comment from Marco Rietveld on 2015-11-24 09:17:53 EST --- Maybe this is necessary? https://github.com/droolsjbpm/kie-wb-distributions/commit/e5bfecc2#diff-8f59b4c5bda82084ad873bbc8be03756L9 --- Additional comment from Maciej Swiderski on 2015-11-25 08:22:32 EST --- WAS does work as expected based on my tests - still struggling with QE tests to run reliably locally but it might be same issue with cached credentials on HttpURLConnection as described here: https://bugzilla.redhat.com/show_bug.cgi?id=1280313#c15 there are additional fixes required for WebLogic, pull requests created: 6.3.x: https://github.com/droolsjbpm/kie-wb-distributions/pull/151 master: https://github.com/droolsjbpm/kie-wb-distributions/pull/152 --- Additional comment from Kris Verlaenen on 2015-11-25 10:08:32 EST --- Decided to postpone this to 6.2.1, so should not be merged to 6.3.x at this point, only once we start merging 6.2.1 issues. --- Additional comment from Maciej Swiderski on 2015-12-01 13:52:19 EST --- fixed on master kie-wb-distributions master: https://github.com/droolsjbpm/kie-wb-distributions/commit/e42d4733c67c3e1af7cdd8f04794a3272d94dffe in case it should be back ported please assign it back to me
Cloned BZ for patch updates (branch 6.3.x)
back ported to 6.3.x kie-wb-distriybutions 6.3.x: https://github.com/droolsjbpm/kie-wb-distributions/commit/d71df9c27dd2e2a1d9b73b36c27dbcc2fd12a0fc
Verified with BPMS-6.2.1