Unable to get tasks assigned to different users than the authenticated
Environment
- Red Hat JBoss BPM Suite (BPMS) 6.2+
Issue
- Unable to get tasks for another users by Remote JAVA API;
- Unable to get tasks for another users by Intelligent Process Server API or endpoints;
- The following error messages are thrown when trying to use different users for Task operation and for REST authentication:
org.kie.remote.client.api.exception.RemoteApiException: The user id used
when retrieving task information (user1) must match the authenticating
user (user2)!
or
ERROR [org.kie.server.remote.rest.jbpm.UserTaskResource] (default task-55) Unexpected error during processing id to load is required for loading: java.lang.IllegalArgumentException: id to load is required for loading
Resolution
It is the expected behavior designed for security reasons. By default authenticated users are supposed to see and perform actions only over its own tasks.
Below is described how to change this default behavior:
For Remote JAVA API
The security check can be disabled by setting the system property org.kie.task.insecure=true
for the server where Business Central is running.
E.g for JBoss EAP:
<system-properties>
<property name="org.kie.task.insecure" value="true"/>
In the client side the same system property should be also set or the method "disableTaskSecurity()" in the RemoteRuntimeEngineFactory should be used as follows:
RuntimeEngine engine = RemoteRuntimeEngineFactory.newRestBuilder()
.addUrl(new URL(APP_URL)).addUserName(USER)
.addPassword(PASSWORD)
.addDeploymentId(DEPLOYMENT_ID).disableTaskSecurity().build();
For Intelligent Process Server
The system property org.kie.server.bypass.auth.user=true
should be set for the server where kie-server.war
is running.
E.g for JBoss EAP:
<system-properties>
<property name="org.kie.server.bypass.auth.user" value="true"/>
If Intelligent Process Server Java Client API (kie-server client) is used for interaction with the server, that property has to be configured on the client site too. Then the user param is added to the rest url (i.e. kie-server/services/rest/server/queries/tasks/instances/pot-owners?user=redhat_user&page=0&pageSize=200&sort=&sortOrder=true'
). However if it is not used, then append ?user=SOME_USERNAME
to the related Task REST endpoints.
Listing User Tasks Assigned As Potential Owner
If your User Task
is assigned to a group, you would need to use getTasksAssignedAsPotentialOwner(String userId, List
Claiming tasks
Most of operations can be done following the steps above like list, initiate and complete tasks. However claiming tasks on behalf of another user will not be possible if you are using the default Human Task callback JAASUserGroupCallback. See our knowledge base article about this Unable to claim tasks on behalf of another user.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments