5 Replies Latest reply on Jul 31, 2014 12:21 PM by samboy_05

    Human tasks created using RemoteJmsRuntimeEngineFactory getting PermissionDeniedException on start and claim.

    samboy_05

      I am currently in the process of analyzing jBPM6.0.1 for our Orchestration needs. We are interested in the KIEWorkbench to centrally house , Deploy and Run our processes.

       

      I have written a sample client to connect to KIE Workbench and run the process using both REST and JMS mechanisms .

       

      The jbpm console jbpm-console-6.0.1.Final.war is deployed on an EAP 6.2 with standalone-full.xml .

       

      The issue is that when a Process is started using a runtime obtained using RemoteJmsRuntimeEngineFactory , starting the human task in the process is resulting in the exception

       

      Exception in thread "main" org.kie.services.client.api.command.RemoteRuntimeException: KieRemoteServicesRuntimeException thrown with message 'Unable to execute CompositeCommand because of PermissionDeniedException: User '[UserImpl:'krisv']' does not have permissions to execution operation 'Start' on task id 3'      at org.kie.services.client.api.command.AbstractRemoteCommandObject.executeJmsCommand(AbstractRemoteCommandObject.java:283)      at org.kie.services.client.api.command.AbstractRemoteCommandObject.execute(AbstractRemoteCommandObject.java:112)      at org.jbpm.services.task.impl.command.CommandBasedTaskService.start(CommandBasedTaskService.java:245)


      Exception on the Server console running jbpm-console

      19:13:22,741 INFO  [org.jboss.as.naming] (Remoting "home-pc" task-2) JBAS011806: Channel end notification received, closing channel Channel ID 16afcdc9 (inbound) of Remoting connection 42de3587 to null 19:15:52,674 WARN  [org.kie.services.remote.jms.RequestMessageBean] (Thread-12 (HornetQ-client-global-threads-26570831)) Unable to execute CompositeCommand because of PermissionDeniedException: User '[UserImpl:'krisv']' does not have permissions to execution operation 'Start' on task id 3: org.jbpm.services.task.exception.PermissionDeniedException: User '[UserImpl:'krisv']' does not have permissions to execution operation 'Start' on task id 3      at org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.evalCommand(MVELLifeCycleManager.java:98) [jbpm-human-task-core-6.0.1-20140120.jar:6.0.1-SNAPSHOT]      at org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.taskOperation(MVELLifeCycleManager.java:322) [jbpm-human-task-core-6.0.1-20140120.jar:6.0.1-SNAPSHOT]      at org.jbpm.services.task.identity.UserGroupLifeCycleManagerDecorator.taskOperation(UserGroupLifeCycleManagerDecorator.java:46) [jbpm-human-task-core-6.0.1-20140120.jar:6.0.1-SNAPSHOT]      at org.jbpm.services.task.impl.TaskInstanceServiceImpl.start(TaskInstanceServiceImpl.java:200) [jbpm-human-task-core-6.0.1-20140120.jar:6.0.1-SNAPSHOT]      at org.jbpm.services.task.commands.StartTaskCommand.execute(StartTaskCommand.java:48) [jbpm-human-task-core-6.0.1-20140120.jar:6.0.1-SNAPSHOT]      at org.jbpm.services.task.commands.StartTaskCommand.execute(StartTaskCommand.java:30) [jbpm-human-task-core-6.0.1-20140120.jar:6.0.1-SNAPSHOT]      at org.jbpm.services.task.commands.CompositeCommand.execute(CompositeCommand.java:38) [jbpm-human-task-core-6.0.1-20140120.jar:6.0.1-SNAPSHOT]      at org.kie.services.remote.util.ExecuteAndSerializeCommand.execute(ExecuteAndSerializeCommand.java:24) [kie-services-remote-6.0.1.Final.jar:6.0.1.Final]      at org.jbpm.services.task.commands.TaskCommandExecutorImpl$SelfExecutionCommandService.execute(TaskCommandExecutorImpl.java:65) [jbpm-human-task-core-6.0.1-20140120.jar:6.0.1-SNAPSHOT]      at org.drools.core.command.impl.AbstractInterceptor.executeNext(AbstractInterceptor.java:41) [drools-core-6.0.1.Final.jar:6.0.1.Final]      at org.jbpm.services.task.persistence.TaskTransactionInterceptor.execute(TaskTransactionInterceptor.java:53) [jbpm-human-task-core-6.0.1-20140120.jar:6.0.1-SNAPSHOT]      at org.jbpm.services.task.commands.TaskCommandExecutorImpl.execute(TaskCommandExecutorImpl.java:40) [jbpm-human-task-core-6.0.1-20140120.jar:6.0.1-SNAPSHOT]      at org.jbpm.services.task.impl.command.CommandBasedTaskService.execute(CommandBasedTaskService.java:128) [jbpm-human-task-core-6.0.1-20140120.jar:6.0.1-SNAPSHOT]      at org.kie.services.remote.jms.RequestMessageBean.processJaxbCommandsRequest(RequestMessageBean.java:360) [kie-services-remote-6.0.1.Final.jar:6.0.1.Final]      at org.kie.services.remote.jms.RequestMessageBean.onMessage(RequestMessageBean.java:194) [kie-services-remote-6.0.1.Final.jar:6.0.1.Final]      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_51]      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_51]      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_51]

       

      The code used to start the process looks like this :

       

      public void runJbpmTest(){
        Map<String ,Object> params= new HashMap<>();
        params.put("decision", Boolean.TRUE);
        ProcessInstance pi = service.startBusinessProcess("jBPM6Poc.Compendium",params); // service object has both KIESession and TaskService and is used to expose their methods and maintain sanity
        //Thread.sleep(100);
        List<Long> taskIds =service.getActiveTasks(pi.getId());
      
        if(taskIds!=null && taskIds.size()>0){
          Task task = service.getTaskById(taskIds.get(0));
          System.out.println("Process Instance id obtained:"+pi.getId());
          Status status = task.getTaskData().getStatus();
          if (status.name().equals("Created")) {
        service.claimTask(taskIds.get(0),"krisv");
        service.startTask(taskIds.get(0),"krisv");
          }else if(status.name().equals("Reserved")||status.name().equals("Ready")){
        System.out.println("Starting Task : pid"+pi.getId()+" Task id:"+taskIds.get(0));
        service.startTask(taskIds.get(0),"krisv");
          }
          System.out.println("Completing Task :  Task id:"+taskIds.get(0));
          service.completeTask(taskIds.get(0), "krisv", params);
        }
      }
      
      

       

      As you can see that the code is in accordance with the HumanTask Life cycle and I am attempting start only if the Satus is Ready , Which it is when line 17 is executing..

       

      Looks to me that the method org.jbpm.services.task.internals.lifecycle.MVELLifeCycleManager.isAllowed(OperationCommand, Task, User, List<String>)  is returning false for some reason.

       

      If I run the same code using KIESession and TaskService obtained using the REST client (RemoteRestRuntimeFactory) everything runs just fine !


      The mechanism described in the documentation is used to connect to HornetQ

       

      I am using stock users.properties and roles.properties for authentication . My standalone.xml for EAP6.2 is attached.

       

      This is how my Process looks like:

      CaptureJbpm.JPG

       

      salaboy21 can you help ? it is pretty urgent.

        • 1. Re: Human tasks created using RemoteJmsRuntimeEngineFactory getting PermissionDeniedException on start and claim.
          salaboy21

          Hi Samrat,

          If you are getting a PermissionDeniedException it's because the user can do that on that task. Maybe because the user krisv is not in the group that your task is.

          Notice that if you are running against the jbpm runtime in the application server you need to have the users and roles defined there using the <jboss-as>/bin/add-user.sh script. Look at the docs to see more information about that.

          HTH

           

          Regards

          • 2. Re: Human tasks created using RemoteJmsRuntimeEngineFactory getting PermissionDeniedException on start and claim.
            samboy_05

            Thanks for the prompt answer Mauricio ,

             

            I did take care of adding users to EAP, the User krisv is already added and is a part of Application Realm in EAP , the same Username Password is used while adding the user to EAP as the username/password in users.properties. (krisv/Krisv_12).

             

            It should not be a Group /User issue at the task level because if call the same piece of code when initializing KIESession and TaskService using the RemoteRestRuntimeFactory it Works absolutely alright ! Moreover krisv is a part of analyst group and so is the task , please refer the screenshot in the question

             

            This is how my users.properties looks like

             

            admin=admin

            krisv=Krisv_12

            john=john

            mary=mary

            sales-rep=sales-rep

            katy=katy

            jack=jack

            salaboy=salaboy

            samrat=samrat

            amalpani=asd@asd123

            This is how my role.properties looks like:


            admin=admin,analyst

            krisv=admin,analyst

            john=analyst,Accounting,PM

            mary=analyst,HR

            sales-rep=analyst,sales

            jack=analyst,IT

            katy=analyst,HR

            salaboy=admin,analyst,IT,HR,Accounting

            samrat=admin,analyst

            amalpani=admin,analyst

             

            This is how my application-users.properties looks like

             

            krisv=f13bfa61128e5081bdaa6905d1ca2a9b

            This is how my application-roles.properties looks like:


            krisv=admin,analyst,guest,user

             

            The standalone.xml  I am using is already attached to the question.

             

            salaboy21

            • 3. Re: Human tasks created using RemoteJmsRuntimeEngineFactory getting PermissionDeniedException on start and claim.
              salaboy21

              I think that's the problem. You are mixing roles with task groups. Try changing the task to a group with a name different from the roles, and then add the same group to the user. look at the user salaboy that has the roles: Admin and Analyst, but he belongs to the IT, HR and Accounting groups (these last three can be used in the GroupId of your tasks.

               

              HTH.

               

              Regards

              • 4. Re: Re: Human tasks created using RemoteJmsRuntimeEngineFactory getting PermissionDeniedException on start and claim.
                samboy_05

                Thank you for your continued support salaboy21 !I

                 

                I did what you said but still got the same exception :

                1. Created Initial context  using the USER/Pass = krisv/Krisv_12
                2. Created RemoteJmsRuntimeEngineFactory using the hence created initialContext , and username password as krisv/Krisv_12
                3. Changed groupId of the task to Accounting in KIEWorkbench
                4. Deployed the changes.
                5. Tried to startTask using the user "salaboy" and got the PermissionDeniedException again !

                 

                Does it have anything to do with the roles specified in HornetQ settings ?

                This is how hornet q security is setup in Standalone.XML

                               <security-settings>
                                    <security-setting match="#">
                                        <permission type="send" roles="guest user admin analyst"/>
                                        <permission type="consume" roles="guest user admin analyst"/>
                                        <permission type="createNonDurableQueue" roles="guest user admin analyst"/>
                                        <permission type="deleteNonDurableQueue" roles="guest user admin analyst"/>
                                    </security-setting>
                                </security-settings>
                
                

                 

                Also , can you point to the source code of the jbpm-console-6.0.1.Final.war  ?

                 

                 

                I would like to import an debug the ServerSide code too , and figure out what exactly the problem is , and what roles etc are received by the server.

                • 5. Re: Human tasks created using RemoteJmsRuntimeEngineFactory getting PermissionDeniedException on start and claim.
                  samboy_05

                  Can somone point to the source for jbpm-console-6.0.1.Final.war ? I ineed to run it in debug mode !

                   

                  salaboy21 , krisverlaenen