[JBoss JIRA] (WFLY-13662) Weld Conversation Context Logs when not using Conversation Context
by Cody Lerum (Jira)
[ https://issues.redhat.com/browse/WFLY-13662?page=com.atlassian.jira.plugi... ]
Cody Lerum edited comment on WFLY-13662 at 7/13/20 4:55 PM:
------------------------------------------------------------
[~manovotn] I tested out some theories to find a reproducer and I think it may be possibly related to double clicked links and requests that are canceled by the browser while they are still in flight. I ran into an issue there and opened WFLY-13666
was (Author: clerum):
I tested out some theories to find a reproducer and I think it may be possibly related to double clicked links and requests that are canceled by the browser while they are still in flight. I ran into an issue there and opened WFLY-13666
> Weld Conversation Context Logs when not using Conversation Context
> ------------------------------------------------------------------
>
> Key: WFLY-13662
> URL: https://issues.redhat.com/browse/WFLY-13662
> Project: WildFly
> Issue Type: Bug
> Components: CDI / Weld, JSF
> Affects Versions: 20.0.1.Final
> Reporter: Cody Lerum
> Assignee: Matěj Novotný
> Priority: Major
>
> After upgrading to Widfly 20.0.1 from 18.0.1 I'm starting to receive show log errors regarding the CDI conversation context even though it is not used anywhere in the application.
> These did not present in the same application in 18.0.1.Final
> {code:java}
> 020-07-10 15:42:47,561 ERROR [io.undertow.request] (default task-273) UT005023: Exception handling request to /s/c/voice/fax/view.xhtml: java.lang.NullPointerException2020-07-10 15:42:47,562 WARN [org.jboss.weld.Servlet] (default task-273) WELD-000717: Unable to deactivate context org.jboss.weld.module.web.context.http.LazyHttpConversationContextImpl@25333df0 when destroying request HttpServletRequestImpl [ GET /s/c/voice/fax/view.xhtml ]
> 2020-07-10 15:42:48,165 WARN [org.jboss.weld.Conversation] (default task-273) WELD-000335: Conversation context is already active, most likely it was not cleaned up properly during previous request processing: HttpServletRequestImpl [ GET /i/ticket/46893 ] {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
6 years
[JBoss JIRA] (WFLY-13662) Weld Conversation Context Logs when not using Conversation Context
by Cody Lerum (Jira)
[ https://issues.redhat.com/browse/WFLY-13662?page=com.atlassian.jira.plugi... ]
Cody Lerum commented on WFLY-13662:
-----------------------------------
I tested out some theories to find a reproducer and I think it may be possibly related to double clicked links and requests that are canceled by the browser while they are still in flight. I ran into an issue there and opened WFLY-13666
> Weld Conversation Context Logs when not using Conversation Context
> ------------------------------------------------------------------
>
> Key: WFLY-13662
> URL: https://issues.redhat.com/browse/WFLY-13662
> Project: WildFly
> Issue Type: Bug
> Components: CDI / Weld, JSF
> Affects Versions: 20.0.1.Final
> Reporter: Cody Lerum
> Assignee: Matěj Novotný
> Priority: Major
>
> After upgrading to Widfly 20.0.1 from 18.0.1 I'm starting to receive show log errors regarding the CDI conversation context even though it is not used anywhere in the application.
> These did not present in the same application in 18.0.1.Final
> {code:java}
> 020-07-10 15:42:47,561 ERROR [io.undertow.request] (default task-273) UT005023: Exception handling request to /s/c/voice/fax/view.xhtml: java.lang.NullPointerException2020-07-10 15:42:47,562 WARN [org.jboss.weld.Servlet] (default task-273) WELD-000717: Unable to deactivate context org.jboss.weld.module.web.context.http.LazyHttpConversationContextImpl@25333df0 when destroying request HttpServletRequestImpl [ GET /s/c/voice/fax/view.xhtml ]
> 2020-07-10 15:42:48,165 WARN [org.jboss.weld.Conversation] (default task-273) WELD-000335: Conversation context is already active, most likely it was not cleaned up properly during previous request processing: HttpServletRequestImpl [ GET /i/ticket/46893 ] {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
6 years
[JBoss JIRA] (WFLY-13666) Loss of Servlet Context Data when request canceled.
by Cody Lerum (Jira)
Cody Lerum created WFLY-13666:
---------------------------------
Summary: Loss of Servlet Context Data when request canceled.
Key: WFLY-13666
URL: https://issues.redhat.com/browse/WFLY-13666
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 20.0.1.Final
Reporter: Cody Lerum
Assignee: Flavia Rainone
NPE occasionally raised in Wildfly 20.0.1 when the response a view is requested repeatedly from the same tab by rapidly double clicking.
This issue was found while trying to find a reproducer to WFLY-13662 so which could also be failing if some of the request context data is being lost.
{code:java}
14:49:14,782 ERROR [io.undertow.request] (default task-8) UT005023: Exception handling request to /demo/list.xhtml: java.lang.NullPointerException14:49:14,782 ERROR [io.undertow.request] (default task-8) UT005023: Exception handling request to /demo/list.xhtml: java.lang.NullPointerException at deployment.demo.war//org.ocpsoft.rewrite.servlet.RewriteFilter.getFilterCount(RewriteFilter.java:316) at deployment.demo.war//org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:208) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at deployment.demo.war//demo.DemoFilter.doFilter(DemoFilter.java:30) at javax.servlet.api@2.0.0.Final//javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:97) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.core@2.1.3.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.core@2.1.3.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.core@2.1.3.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.core@2.1.3.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530) at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530) at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530) at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99) at io.undertow.core@2.1.3.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:370) at io.undertow.core@2.1.3.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.base/java.lang.Thread.run(Thread.java:832) {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
6 years
[JBoss JIRA] (WFCORE-4817) CliArgumentsTestCase fails if _JAVA_OPTIONS environment variable defined
by Paul Ferraro (Jira)
[ https://issues.redhat.com/browse/WFCORE-4817?page=com.atlassian.jira.plug... ]
Paul Ferraro reassigned WFCORE-4817:
------------------------------------
Assignee: Paul Ferraro (was: Jeff Mesnil)
> CliArgumentsTestCase fails if _JAVA_OPTIONS environment variable defined
> ------------------------------------------------------------------------
>
> Key: WFCORE-4817
> URL: https://issues.redhat.com/browse/WFCORE-4817
> Project: WildFly Core
> Issue Type: Bug
> Components: Management
> Reporter: Paul Ferraro
> Assignee: Paul Ferraro
> Priority: Minor
>
> If the user has a _JAVA_OPTIONS environment variable defined, this test consistently fails - as it does not account for the fact that stuff may already have been written to stdout.
> e.g.
> {noformat}
> <failure message="expected:<[]Unknown argument: --...> but was:<[Picked up _JAVA_OPTIONS: -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel -Dswing.crossplatformlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel -Dawt.useSystemAAFontSettings=gasp -Djdk.gtk.version=3 -Dsun.java2d.opengl=true ]Unknown argument: --...>" type="org.junit.ComparisonFailure"><![CDATA[org.junit.ComparisonFailure:
> expected:<[]Unknown argument: --...> but was:<[Picked up _JAVA_OPTIONS: -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel -Dswing.crossplatformlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel -Dawt.useSystemAAFontSettings=gasp -Djdk.gtk.version=3 -Dsun.java2d.opengl=true
> ]Unknown argument: --...>
> {noformat}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
6 years
[JBoss JIRA] (DROOLS-1004) classloading errors in kie-server
by Karel Suta (Jira)
[ https://issues.redhat.com/browse/DROOLS-1004?page=com.atlassian.jira.plug... ]
Karel Suta commented on DROOLS-1004:
------------------------------------
Jaxb warnings are still present in Kie server logs.
I haven't seen the OSGI issue.
> classloading errors in kie-server
> ---------------------------------
>
> Key: DROOLS-1004
> URL: https://issues.redhat.com/browse/DROOLS-1004
> Project: Drools
> Issue Type: Bug
> Components: kie server
> Affects Versions: 6.3.0.Final
> Reporter: David Ward
> Assignee: Toshiya Kobayashi
> Priority: Major
>
> There appear to be some classloading errors in kie-server.war 6.3.0.Final-redhat-5 being deployed on JBoss EAP 6.4.4.
> *First, you get multiple jaxb and parser warnings like this:*
> {code}
> 11:58:47,603 WARN [org.jboss.as.server.deployment] (MSC service thread 1-3) JBAS015960: Class Path entry jaxb-api.jar in /opt/eap/standalone/deployments/kie-server.war/WEB-INF/lib/jaxb-core-2.2.11.jar does not point to a valid jar for a Class-Path reference.
> 11:58:47,606 WARN [org.jboss.as.server.deployment] (MSC service thread 1-3) JBAS015960: Class Path entry jaxb-core.jar in /opt/eap/standalone/deployments/kie-server.war/WEB-INF/lib/jaxb-impl-2.2.11.jar does not point to a valid jar for a Class-Path reference.
> 11:58:47,644 WARN [org.jboss.as.server.deployment] (MSC service thread 1-3) JBAS015960: Class Path entry jaxb-core.jar in /opt/eap/standalone/deployments/kie-server.war/WEB-INF/lib/jaxb-xjc-2.2.11.jar does not point to a valid jar for a Class-Path reference.
> 11:58:47,644 WARN [org.jboss.as.server.deployment] (MSC service thread 1-3) JBAS015960: Class Path entry jaxb-impl.jar in /opt/eap/standalone/deployments/kie-server.war/WEB-INF/lib/jaxb-xjc-2.2.11.jar does not point to a valid jar for a Class-Path reference.
> 11:58:47,713 WARN [org.jboss.as.server.deployment] (MSC service thread 1-3) JBAS015893: Encountered invalid class name 'org.xmlpull.mxp1.MXParser,org.xmlpull.mxp1_serializer.MXSerializer' for service type 'org.xmlpull.v1.XmlPullParserFactory'
> {code}
> The above was noticed as part of CLOUD-421. Please refer to the jira issue and note Kev's comment, {quote}"The jaxb jars are duplicates that are unnecessary in the EAP deployments however the upstream war file contains all dependencies. Removing the jaxb jars from within the kie-server.war/WEB-INF/lib directory will likely work however I'm loathed to do this since we would need to verify this through the BRMS QE team.
> The warning about the parser is caused by the kie-server.war/WEB-INF/lib/xpp3_min-1.1.4c.jar"{quote}
> *Second, there can be missing osgi classes:*
> If kjar model classes contain certain annotations, it seems to trigger the kie-server to try to load osgi classes. For example, annotating kjar model classes with Position, PropertyReactive, and Remotable as per this test case:
> http://git.app.eng.bos.redhat.com/git/xpaas-qe.git/tree/test-brms/src/tes...
> , you end up with errors like this in the log when the KieContainer is being installed:
> {code}
> Caused by: java.lang.NoClassDefFoundError: org/osgi/util/tracker/ServiceTrackerCustomizer
> at java.lang.ClassLoader.defineClass1(Native Method) [rt.jar:1.8.0_65]
> at java.lang.ClassLoader.defineClass(ClassLoader.java:760) [rt.jar:1.8.0_65]
> at org.jboss.modules.ModuleClassLoader.doDefineOrLoadClass(ModuleClassLoader.java:361) [jboss-modules.jar:1.3.7.Final-redhat-1]
> at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:482) [jboss-modules.jar:1.3.7.Final-redhat-1]
> ... 77 more
> Caused by: java.lang.ClassNotFoundException: org.osgi.util.tracker.ServiceTrackerCustomizer from [Module "deployment.kie-server.war:main" from Service Module Loader]
> at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) [jboss-modules.jar:1.3.7.Final-redhat-1]
> at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) [jboss-modules.jar:1.3.7.Final-redhat-1]
> at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) [jboss-modules.jar:1.3.7.Final-redhat-1]
> at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) [jboss-modules.jar:1.3.7.Final-redhat-1]
> at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) [jboss-modules.jar:1.3.7.Final-redhat-1]
> ... 81 more
> {code}
> The above was noticed as part of CLOUD-418. To get around this issue, I had to add a kie-server.war/WEB-INF/jboss-deployment-structure.xml like so:
> {code:xml}
> <?xml version="1.0" encoding="UTF-8"?>
> <jboss-deployment-structure>
> <deployment>
> <dependencies>
> <module name="org.osgi.core"/>
> <module name="org.osgi.enterprise"/>
> </dependencies>
> </deployment>
> </jboss-deployment-structure>
> {code}
> The jboss-bpmsuite-6.2.0.GA-redhat-1-deployable-eap6.x.zip file (from which we extract the kie-sever.war) is seemingly an EAP-specific build (thus the -eap6.x suffix). So perhaps the fix would be to have the kie-server.war already come pre-configured to contain (or better yet, depend upon the existing modules) jars in EAP for both the above problems (incorrect jaxb/xmlpull references, and missing osgi dependencies).
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
6 years
[JBoss JIRA] (DROOLS-1003) incongruous security granularity in kie-server
by David Ward (Jira)
[ https://issues.redhat.com/browse/DROOLS-1003?page=com.atlassian.jira.plug... ]
David Ward updated DROOLS-1003:
-------------------------------
Priority: Minor (was: Major)
> incongruous security granularity in kie-server
> ----------------------------------------------
>
> Key: DROOLS-1003
> URL: https://issues.redhat.com/browse/DROOLS-1003
> Project: Drools
> Issue Type: Bug
> Components: kie server
> Affects Versions: 6.3.0.Final
> Reporter: David Ward
> Assignee: Toshiya Kobayashi
> Priority: Minor
> Attachments: web.xml
>
>
> The KIE Server provides two endpoints: HTTP/REST and JMS. By default, there is a "kie-server" role that one must have to perform operations through either endpoint. But by having this role, you can do *anything* in a very coarse-grained fashion.
> Luckily, the HTTP/REST endpoint can be modified by changing the kie-server.war/WEB-INF/web.xml, and adding/modifying the security constraints. For OpenShift purposes, this has been done to disallow creating and disposing containers, while still allowing for reading status and executing rules. This is because REST url-patterns can be filtered per various operations and also with different http-methods. (See attached web.xml for an example.)
> However, the JMS endpoint has no such capability. There is only one request queue with appserver security on it on a coarse-grained level, and no way to filter the messages as can be done via the HTTP/REST endpoint.
> I have an idea that might help? Clients invoke the server via serializing and sending in Command objects, and those objects themselves are fine-grained (they are named things like "CallContainerCommand" and "DisposeContainerCommand"). If the incoming messages could propagate some kind of property of who the caller was, then the server-side could do a isCallerInRole/isUserInRole to determine if that user is authorized to invoke that particular command before doing so. Just a brainstorming idea.
> Here is an example of the server handling the commands:
> https://github.com/droolsjbpm/droolsjbpm-integration/blob/6.2.x/kie-serve...
> The desired goal would be that developers (like myself) would not have to edit the kie-server.war/WEB-INF/web.xml, and that the same level of security granularity would already be available out-of-the-box for both the HTTP/REST and JMS interfaces. All that would be left for us would be to grant users the appropriate roles.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
6 years
[JBoss JIRA] (DROOLS-1003) incongruous security granularity in kie-server
by David Ward (Jira)
[ https://issues.redhat.com/browse/DROOLS-1003?page=com.atlassian.jira.plug... ]
David Ward commented on DROOLS-1003:
------------------------------------
Hi [~tkobayashi], I think this issue is low priority now, and I will update this Jira accordingly. Most people who use the kieserver do so using REST, not JMS. And if they are using JMS, it is almost always internal to a cluster and not exposed externally anyways. Last, I believe security roles have changed between 6 and 7, so this might not even be an issue anymore, but further investigation would have to be done to make sure.
> incongruous security granularity in kie-server
> ----------------------------------------------
>
> Key: DROOLS-1003
> URL: https://issues.redhat.com/browse/DROOLS-1003
> Project: Drools
> Issue Type: Bug
> Components: kie server
> Affects Versions: 6.3.0.Final
> Reporter: David Ward
> Assignee: Toshiya Kobayashi
> Priority: Major
> Attachments: web.xml
>
>
> The KIE Server provides two endpoints: HTTP/REST and JMS. By default, there is a "kie-server" role that one must have to perform operations through either endpoint. But by having this role, you can do *anything* in a very coarse-grained fashion.
> Luckily, the HTTP/REST endpoint can be modified by changing the kie-server.war/WEB-INF/web.xml, and adding/modifying the security constraints. For OpenShift purposes, this has been done to disallow creating and disposing containers, while still allowing for reading status and executing rules. This is because REST url-patterns can be filtered per various operations and also with different http-methods. (See attached web.xml for an example.)
> However, the JMS endpoint has no such capability. There is only one request queue with appserver security on it on a coarse-grained level, and no way to filter the messages as can be done via the HTTP/REST endpoint.
> I have an idea that might help? Clients invoke the server via serializing and sending in Command objects, and those objects themselves are fine-grained (they are named things like "CallContainerCommand" and "DisposeContainerCommand"). If the incoming messages could propagate some kind of property of who the caller was, then the server-side could do a isCallerInRole/isUserInRole to determine if that user is authorized to invoke that particular command before doing so. Just a brainstorming idea.
> Here is an example of the server handling the commands:
> https://github.com/droolsjbpm/droolsjbpm-integration/blob/6.2.x/kie-serve...
> The desired goal would be that developers (like myself) would not have to edit the kie-server.war/WEB-INF/web.xml, and that the same level of security granularity would already be available out-of-the-box for both the HTTP/REST and JMS interfaces. All that would be left for us would be to grant users the appropriate roles.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
6 years