search

imixs / imixs-workflow

The open source technology for business process management
http://www.imixs.org/
GNU General Public License v3.0
358 stars 64 forks source link

Change security test to @RoleAllowed #836

Closed Dev-ALPM closed 1 year ago

Dev-ALPM commented 1 year ago

servletRequest.isUserInRole() return false with glassfish

Not test with Wildfly

Test before accept...

rsoika commented 1 year ago

Hi @Dev-ALPM , yes your changes work also in wildfly. But my goal in some of these methods was to return a Response.Status.UNAUTHORIZED. The @RoleAllowed results in a HTTP Error 500

hm....

You say you have problems with the isUserInRole method in glassfish. But this is often used in the core engine too. Like here: https://github.com/imixs/imixs-workflow/blob/50d516d0e22cc253c669185bf614509268d727d5/imixs-workflow-engine/src/main/java/org/imixs/workflow/engine/DocumentService.java#L304-L311C3

This should work in glassfish as we run also projects in production with this app server.

Can you test if a construction like this works for you:

...
        @Resource
    SessionContext ctx;
....

    @Path("/{uniqueid : ([0-9a-f]{8}-.*|[0-9a-f]{11}-.*)}")
    public Response deleteEntity(@PathParam("uniqueid") String uniqueid) {

        if (!ctx.isCallerInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS")) {
            return Response.status(Response.Status.UNAUTHORIZED).build();
        }
        ItemCollection entity = documentService.load(uniqueid);
        if (entity != null) {
            documentService.remove(entity);
        }

        return Response.status(Response.Status.OK).build();
    }

Here I replace the servletRequest.isUserInRole() with ctx.isCallerInRole()

Dev-ALPM commented 1 year ago

Change with your proposal Works well with glassfish

rsoika commented 1 year ago

@Dev-ALPM This is great! I will merge it soon and did some more testing.