Description of problem: Customer wants to use different users for Task operation and for REST authentication. But its not working with BPMS 6.2 release, it fails with below exception: org.kie.remote.client.api.exception.RemoteApiException: The user id used when retrieving task information (user1) must match the authenticating user (user2)! This was reported as bZ#1265568 but was closed as a "NOT a BUG". However,several customer needs to get this use case to work. In fact, the following system property is prepared to bypass this restriction -Dorg.kie.task.insecure=true but it does not work yet as expected. Version-Release number of selected component (if applicable): 6.2.0 Steps to Reproduce: 1. Use one user credentials when using remote APIs 2. Try to get tasks for another users. Actual results: org.kie.remote.client.api.exception.RemoteApiException: The user id used when retrieving task information (user1) must match the authenticating user (user2)! Expected results: It should be possible somehow bypass this check to allow testing processes with tasks assigned to different users. Additional info:
PR Submitted: https://github.com/droolsjbpm/droolsjbpm-integration/pull/356 By either setting the system property "org.kie.task.insecure" on the *client* side or otherwise using the "disableTaskSecurity()" method in the fluent RemoteRestRuntimeEngineBuilder, the user can now retrieve tasks that the user would not normally be able to see.
Fixed. Commits: 6.4.x: https://github.com/droolsjbpm/droolsjbpm-integration/commit/429e4c28
Verified on BPM Suite 6.3.0 ER2 https://gitlab.mw.lab.eng.bos.redhat.com/bxms/brms/commit/55f46bdee3b94b88ba5b19ccf885335a4572bf33 However, I think it was not the best idea to name newly added method disableTaskSecurity() because a method with the same name but different purpose exists in RemoteJmsRuntimeEngineBuilder and so it may cause some confusion.