Red Hat Bugzilla – Bug 994905
A task operation is performed via REST API under anonymous user even though the user has set credentials
Last modified: 2016-09-20 01:04:57 EDT
Description of problem:
It's not possible to perform any task operation because the user is supposed to be an anonymous, so he doesn't have any permissions to do the operation. It shouldn't be even possible to do an operation without being logged since the REST API is fully secured.
I just create the ClientRequestFactory with UserNamePasswordCreadentials and then do the rest/task/taskid/start operation.
It seems that the IdentityProvider doesn't return logged user. https://github.com/droolsjbpm/droolsjbpm-integration/blob/master/kie-remote/kie-services-remote/src/main/java/org/kie/services/remote/rest/TaskResource.java
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Ivo, Could you provide some more information? The bug description is unclear to me.
I can imagine that it seems more than obvious to you what the problem is, but unfortunately I end up working on lots of different things during a week so that it takes me longer to get up to speed on exactly what the problem is. :)
If you could fill in the questions posed by bugzilla (steps to reproducde, actual results, etc.), that would be great!
after a further investigation I noticed that the issue (task is not started via REST API) only happen when I use REST-Easy client this way:
DefaultHttpClient httpClient = new DefaultHttpClient();
AuthScope.ANY_PORT, AuthScope.ANY_REALM), new UsernamePasswordCredentials(userId, password));
ClientExecutor clientExecutor = new ApacheHttpClient4Executor(httpClient);
return new ClientRequestFactory(clientExecutor, ResteasyProviderFactory.getInstance());
I also tried REST client integrated in browser where the task execution works.
Did you see the email with subject "Task operation identity issue" I sent you Aug 08? There are more details and links to our test suite.
Steps to Reproduce:
1. Start a process with human task
2. Start the task via REST API programmatically
3. See PermissionDeniedException in the server log containing "User '[UserImpl:'Anonymous']' does not have permissions to execution operation 'Start' on task id 1"
Seems it could be a similar problem as it is here BZ 986208, describing the last comments.
It's no longer possible to authenticate against the server in the way described above.
I've verified this with the following code (that connects to a running BPMS server with the Evaluation example deployed and with a user "mary" added to the server:
See the anonymousTaskInitiatorTest() test method in the above class.
Verified with this commit:
Would it be okay to mark this bug as CLOSED/WORKSFORME? (or maybe CLOSED/NOTABUG?).
I think that these commits are largely responsible for the change/fix:
These changes allowed us to use BASIC authentication with the normal web.xml (formerly, we had to use FORM authentication when the UI was active, now we can use FORM for the UI while simultaneously using BASIC for the rest services.)
Oops, wrong BZ. :(
I think it would be better to change it to modified status and then on_qa because I'd like to verify it against BPMS 6.0.0.er4. In BPMS 6.0.0.er3 it still doesn't work.
org.jboss.resteasy.spi.UnauthorizedException: User '[UserImpl:'Anonymous']' does not have permissions to execution operation 'Start' on task id 18
Setting to modified as suggested.
Verified in BPMS 6.0.0.ER4