Bug 823318 - jBPM console cannot initialize session when drools packages are signed
jBPM console cannot initialize session when drools packages are signed
Product: JBoss Enterprise BRMS Platform 5
Classification: JBoss
Component: jBPM Console (Show other bugs)
BRMS 5.3.0.GA
Unspecified Unspecified
unspecified Severity urgent
: ---
: ---
Assigned To: Maciej Swiderski
Lukáš Petrovický
Depends On:
  Show dependency treegraph
Reported: 2012-05-20 17:50 EDT by Jiri Locker
Modified: 2012-05-27 21:00 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-05-22 13:41:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
server.log (192.83 KB, text/plain)
2012-05-20 17:50 EDT, Jiri Locker
no flags Details

  None (edit)
Description Jiri Locker 2012-05-20 17:50:40 EDT
Created attachment 585680 [details]

Description of problem:
jBPM console is not prepared to handle drools packages that are signed. When signing of serialized rules packages is enabled in Guvnor, jBPM console fails to initialize the knowledge session.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. set up package signing in Guvnor http://docs.redhat.com/docs/en-US/JBoss_Enterprise_BRMS_Platform/5/html/BRMS_Administrator_Guide/chap-security.html#BRMS_AdminGuide-signing_config
2. create/import a package with some processes and build it
3. log in to http://localhost:8080/business-central/
Actual results:
The knowledge session fails to initialize, exception is thrown. jBPM console doesn't allow to provide package signing properties for the KnowledgeAgent that pulls packages from Guvnor.

Expected results:
It should be possible to pass signing properties
> drools.serialization.sign
> drools.serialization.public.keyStoreURL
> drools.serialization.public.keyStorePwd
to the console so that KA can deserialize signed packages and the session can be initialized.

Additional info:
The root exception message:

org.drools.RuntimeDroolsException: This environment is configured to work with signed serialized objects, but the given object is unsigned. Deserialization aborted.

says the contrary of how I described the issue. It sounds like jbpm console expected signed package, which was not. But I think it doesn't make sense that way. Please correct me if I misunderstood the issue.
Comment 1 Maciej Swiderski 2012-05-21 05:08:54 EDT
I beleive this is not related to loading packages from guvnor but loading session from data base. What is happening is that session was persisted without signature before and after security was enhanced (sign serialization was enabled)session cannot be loaded as it was stored not signed, thus we see this error message.

Could you please confirm/refute above?

I will work on setting up the environment as described.
Comment 2 Maciej Swiderski 2012-05-21 06:37:16 EDT
After setting up environment with security enabled I confirm that it will fail if console will try to load session that was created (and persisted) with security disabled. Due to that there is a need to enforce console to create new session instead of loading one after turning security on. This can be done by deleteing jbpmSessionId.ser file that is located in {jboss.server.temp.dir}

After this has been done, console is capable to read signed packages from guvnor and load the signed session.
Comment 3 Jiri Locker 2012-05-22 13:41:29 EDT
I didn't mention the method I used to set serialization properties. I only placed them into jboss-brms.war/WEB-INF/classes/preferences.properties. Therefore I expected that only Guvnor would know signing is enabled. I didn't know that org.drools.guvnor.server.configurations.ApplicationPreferencesInitializer is used to set these preferences as System properties and so the environment was really configured to work with signed objects when the session was loaded by jbpm console.

Now I understand this issue is not a bug and only occurs when the console loads the session and signing preference was changed before the session was created.

Note You need to log in before you can comment on or make changes to this bug.