+++ This bug was initially created as a clone of Bug #1310510 +++

Description of problem:

Customer wants to use different users for Task operation and for REST authentication. But its not working with BPMS 6.2 release, it fails with below exception:

org.kie.remote.client.api.exception.RemoteApiException: The user id used
when retrieving task information (user1) must match the authenticating
user (user2)!

This was reported as bZ#1265568 but was closed as a "NOT a BUG".

However,several customer needs to get this use case to work.
In fact, the following system property is prepared to bypass this restriction

-Dorg.kie.task.insecure=true

but it does not work yet as expected.

Version-Release number of selected component (if applicable):
6.2.0

Steps to Reproduce:
1. Use one user credentials when using remote APIs
2. Try to get tasks for another users.

Actual results:
org.kie.remote.client.api.exception.RemoteApiException: The user id used when retrieving task information (user1) must match the authenticating user (user2)!

Expected results:
It should be possible somehow bypass this check to allow testing processes with tasks assigned to different users.

Additional info:

— Additional comment from JBoss Product and Program Management on 2016-02-22 00:10:08 EST —

Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

— Additional comment from Alessandro Lazarotti on 2016-02-22 10:13:43 EST —

Hiroko, this is more an RFE than a bug.

It is behaving as for design now, so it i not a bug.

See please the discussion at: https://issues.jboss.org/browse/BPMSPL-97.
Add any information that you have from your customer (use case, expectation, if SSO helps, etc), that will help to get it in the product soon.

— Additional comment from Hiroko Miura on 2016-02-23 04:26:15 EST —

Hi Alessandro,

Thanks for your attention and sorry I did not noticed BPMSPL-97.
I understand well that current behavior is intended one for security reason.

Here is what customer said in my case.

I am willing to use the REST API of BPM Suite (business-central) in order to build a custom application that interacts with processes.

There are several users for the custom application and these users are authenticated thanks to a central authentication system like OAuth or CAS). Thus, the application doesn't have the full credentials of the users only their name.
In order for this application to use the REST API it needs to provide credentials of a user with rest-all role.

I wanted to create a technical user for this.
However when I proceed (according to https://access.redhat.com/solutions/2129131) I face the following issue :
org.kie.remote.client.api.exception.RemoteApiException: The user id used when retrieving task information (user) must match the authenticating user (tech_user)!
at org.kie.services.client.api.command.AbstractRemoteCommandObject.preprocessCommand(AbstractRemoteCommandObject.java:175)
—

Does this help ?
Should I update BPMSPL-97 with this information?

— Additional comment from Abhijit humbe on 2016-03-01 07:11:08 EST —

Hi Alessandro,

As you mentioned in previous comment, this behavior is expected. Then whats is the use of "-Dorg.kie.task.insecure=true" option ?

As per my understanding if this option is set, it should by-pass user authentication.

— Additional comment from Marco Rietveld on 2016-03-15 08:56:49 EDT —

PR Submitted: https://github.com/droolsjbpm/droolsjbpm-integration/pull/356

By either setting the system property "org.kie.task.insecure" on the client side or otherwise using the "disableTaskSecurity()" method in the fluent RemoteRestRuntimeEngineBuilder, the user can now retrieve tasks that the user would not normally be able to see.

— Additional comment from Hiroko Miura on 2016-03-18 04:27:25 EDT —

Hi Marco and Alessandro,

Thank you very much for the fix of this issue.
Can we think this will be integrated info 6.3.0?

Should I open bug for 6.2.x so that it will be included in 6.2.3 as well.

Thank you.

— Additional comment from Marco Rietveld on 2016-03-23 07:23:02 EDT —

Fixed. Commits:

6.4.x:
https://github.com/droolsjbpm/droolsjbpm-integration/commit/429e4c28

— Additional comment from Tomas Livora on 2016-03-31 05:06:09 EDT —

Verified on BPM Suite 6.3.0 ER2

https://gitlab.mw.lab.eng.bos.redhat.com/bxms/brms/commit/55f46bdee3b94b88ba5b19ccf885335a4572bf33

However, I think it was not the best idea to name newly added method disableTaskSecurity() because a method with the same name but different purpose exists in RemoteJmsRuntimeEngineBuilder and so it may cause some confusion.