Bug 986208 - Allow using different authentication methods for KIE Workbench (FORM) and for REST API (BASIC)
Allow using different authentication methods for KIE Workbench (FORM) and for...
Status: CLOSED CURRENTRELEASE
Product: JBoss BPMS Platform 6
Classification: JBoss
Component: Business Central (Show other bugs)
6.0.0
Unspecified Unspecified
urgent Severity high
: ER4
: 6.0.0
Assigned To: Mark Proctor
Jiri Locker
: TestBlocker
: 1002720 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-19 04:48 EDT by Jiri Locker
Modified: 2014-08-06 16:11 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-08-06 16:11:31 EDT
Type: Enhancement
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jiri Locker 2013-07-19 04:48:41 EDT
Description of problem:
Business central login config uses FORM authentication method (web.xml). With this settings, when calling REST API (e.g. to issue repository or project operations), the response contains login form HTML source.

Version-Release number of selected component (if applicable):
DR6

How reproducible:


Steps to Reproduce:
1. 
2.
3.

Actual results:


Expected results:
Accessing http://localhost:8080/business-central/rest/something in web browser should prompt for credentials (BASIC authentication) while opening http://localhost:8080/business-central/ should display a login form.

Additional info:
Comment 1 Jervis Liu 2013-07-19 05:26:03 EDT
Most REST APIs wont support browser at all. For example, most Guvnor REST APIs return json, this requires the client set the accept header properly to application/json. It is not possible to set header through browser. 

I would recommend using curl as the debugging tool.
Comment 2 Jiri Locker 2013-07-19 09:04:52 EDT
Thanks for the tip. curl will be helpful for further testing.
Comment 3 Jiri Locker 2013-07-22 04:58:49 EDT
We can work around the REST authentication by removing this element from web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>rest</web-resource-name>
        <url-pattern>/rest/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>kie-user</role-name>
    </auth-constraint>
</security-constraint>

However the requirement to use BASIC method for REST API authentication persists.
Comment 4 Jervis Liu 2013-08-06 23:09:11 EDT
Basic Authentication is supported now. 

http://github.com/droolsjbpm/drools-wb/commit/111fed534
Comment 5 Jervis Liu 2013-08-19 00:06:45 EDT
There is still one thing missing from the previous fix: we need to return 401 unauthorized if the authentication fails. Our current code returns 200 with a login page as the response body.
Comment 7 Jiri Locker 2013-08-28 12:07:12 EDT
In case the Authorization header is missing in the request, NPE [1] is thrown on the server and it returns HTML report with the exception. 401 unauthorized should be returned in this case as well as when wrong credentials are provided, right?

[1] servlet javax.ws.rs.core.Application threw exception: java.lang.NullPointerException
        at org.uberfire.security.server.auth.JACCAuthenticationScheme.buildCredential(JACCAuthenticationScheme.java:23) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1]
        at org.uberfire.security.server.auth.HttpAuthenticationManager.authenticate(HttpAuthenticationManager.java:116) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1]
        at org.uberfire.security.server.HttpSecurityManagerImpl.authenticate(HttpSecurityManagerImpl.java:214) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1]
        at org.uberfire.security.server.UberFireSecurityFilter.authenticate(UberFireSecurityFilter.java:304) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1]
        at org.uberfire.security.server.UberFireSecurityFilter.doFilter(UberFireSecurityFilter.java:249) [uberfire-security-server-0.3.0-redhat-1.jar:0.3.0-redhat-1]
Comment 8 Ivo Bek 2013-08-30 08:41:49 EDT
*** Bug 1002720 has been marked as a duplicate of this bug. ***
Comment 9 Ivo Bek 2013-09-10 03:00:30 EDT
Seems it could be a similar problem as it is here BZ 994905.
Comment 10 Jervis Liu 2013-09-11 06:22:38 EDT
Fixed. https://github.com/droolsjbpm/uberfire/commit/1055d3cc8

The server now returns 401 if the Authorization header is not provided.
Comment 14 Jiri Locker 2013-10-17 03:47:25 EDT
Fix verified in ER4.

Business central uses FORM authentication and REST API uses BASIC. Accessing /rest/* without Authorization header returns 401 and doesn't cause server-side exception.

Note: the 401 response is still not recognized as authentication request by user agents (Web browser, REST clients), which I think may be due to missing WWW-Authenticate response header. This is a suggestion for future improvement.

Note You need to log in before you can comment on or make changes to this bug.