Description of problem: Business central login config uses FORM authentication method (web.xml). With this settings, when calling REST API (e.g. to issue repository or project operations), the response contains login form HTML source. Version-Release number of selected component (if applicable): DR6 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Accessing http://localhost:8080/business-central/rest/something in web browser should prompt for credentials (BASIC authentication) while opening http://localhost:8080/business-central/ should display a login form. Additional info:
Most REST APIs wont support browser at all. For example, most Guvnor REST APIs return json, this requires the client set the accept header properly to application/json. It is not possible to set header through browser. I would recommend using curl as the debugging tool.
Thanks for the tip. curl will be helpful for further testing.
We can work around the REST authentication by removing this element from web.xml: <security-constraint> <web-resource-collection> <web-resource-name>rest</web-resource-name> <url-pattern>/rest/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>kie-user</role-name> </auth-constraint> </security-constraint> However the requirement to use BASIC method for REST API authentication persists.
Basic Authentication is supported now. http://github.com/droolsjbpm/drools-wb/commit/111fed534
There is still one thing missing from the previous fix: we need to return 401 unauthorized if the authentication fails. Our current code returns 200 with a login page as the response body.
In case the Authorization header is missing in the request, NPE [1] is thrown on the server and it returns HTML report with the exception. 401 unauthorized should be returned in this case as well as when wrong credentials are provided, right? [1] servlet javax.ws.rs.core.Application threw exception: java.lang.NullPointerException at org.uberfire.security.server.auth.JACCAuthenticationScheme.buildCredential(JACCAuthenticationScheme.java:23) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1] at org.uberfire.security.server.auth.HttpAuthenticationManager.authenticate(HttpAuthenticationManager.java:116) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1] at org.uberfire.security.server.HttpSecurityManagerImpl.authenticate(HttpSecurityManagerImpl.java:214) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1] at org.uberfire.security.server.UberFireSecurityFilter.authenticate(UberFireSecurityFilter.java:304) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1] at org.uberfire.security.server.UberFireSecurityFilter.doFilter(UberFireSecurityFilter.java:249) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1]
*** Bug 1002720 has been marked as a duplicate of this bug. ***
Seems it could be a similar problem as it is here BZ 994905.
Fixed. https://github.com/droolsjbpm/uberfire/commit/1055d3cc8 The server now returns 401 if the Authorization header is not provided.
Fix verified in ER4. Business central uses FORM authentication and REST API uses BASIC. Accessing /rest/* without Authorization header returns 401 and doesn't cause server-side exception. Note: the 401 response is still not recognized as authentication request by user agents (Web browser, REST clients), which I think may be due to missing WWW-Authenticate response header. This is a suggestion for future improvement.