Red Hat Bugzilla – Bug 815757
User without proper permissions can identify invalid resources in ResourceManager.getXX
Last modified: 2013-10-17 12:10:21 EDT
Steps to Reproduce:
1. Create a user without any roles.
2. Log in
2. call ResourceManager.getResource(0)
ResourceNotFoundException: A Resource with id 0 does not exist in inventory
Created attachment 579849 [details]
triaged 4/30/2012 by loleary, ccrouch, mfoley
Suggest this be closed, it's working as expected. It is not a permission exception to try and view a resource. Everyone has view privilege. If you can't actually see it then it is basically a ResourceNotFound, whether it exists or not.
While I tend to close this, I can see Viet's point.
This is with a user that only has access rights to a group of 2 resources:
org.rhq.enterprise.server.resource.ResourceNotFoundException: [Warning] A Resource with id 0 does not exist in inventory.
org.rhq.enterprise.server.authz.PermissionException: [Warning] User [Subject[id=10001,name=test]] does not have permission to view resource 
Here resource with id 0 does not exist, while the user can't access the one with 10001.
In scenarios like username/password, the rule is e.g. not to expose information on login failure if the username is valid or not, so that than attacker can't use that information to narrow the attack path.
In above example, we might internally catch the PermissionException and return a ResourceNotFound one.
But then that will probably break existing scripts.
I see the semantic difference as well. Although given that this is not a customer issue and changing the behavior could be interpreted as an API breakage, I'm closing as Won't Fix.