Issue Description
After upgrade from TIBCO JasperReports® Server v.6.1 to TIBCO JasperReports® Server v.7.1.0,
customer started encountering an issue when queryExecutor REST v2 call returns error '403 Forbidden - Access is denied'.
The user has ROLE_USER assigned and has read permissions to the domain.
Explanation
TIBCO JasperReports® Server v.7.1.0 uses URL access patterns from
WEB-INFapplicationContext-security-pro-web.xml
configuration file to determine which roles have access to specific URLs:
<security:filter-security-metadata-source id="filterInvocationInterceptorPROExtention" lowercase-comparisons="true" path-type="ant" request-matcher="ant"> <security:intercept-url pattern="/adhoc/cacheadmin.html" access="ROLE_SUPERUSER" /> <security:intercept-url pattern="/adhoc/cachedetail.html" access="ROLE_SUPERUSER" /> <security:intercept-url pattern="/adhoc/querygovernorsettings.html" access="ROLE_SUPERUSER" /> <security:intercept-url pattern="/log_settings.html" access="ROLE_SUPERUSER" /> <security:intercept-url pattern="/customAttributes.html" access="ROLE_SUPERUSER" /> <security:intercept-url pattern="/adminexport.html" access="ROLE_SUPERUSER" /> <security:intercept-url pattern="/adminimport.html" access="ROLE_SUPERUSER" /> <security:intercept-url pattern="/dataviewconverter.html" access="ROLE_USER,ROLE_ADMINISTRATOR" /> <security:intercept-url pattern="/dashboard/designer.html" access="ROLE_USER,ROLE_ADMINISTRATOR" /> <security:intercept-url pattern="/dashboard/viewer.html" access="ROLE_USER,ROLE_ADMINISTRATOR" /> <security:intercept-url pattern="/dashboard/exporter.html" access="ROLE_USER,ROLE_ADMINISTRATOR,ROLE_ANONYMOUS" /> <security:intercept-url pattern="/rest_v2/reportgenerators/**" access="ROLE_USER,ROLE_ADMINISTRATOR" /> <security:intercept-url pattern="/rest_v2/domains/**" access="ROLE_USER,ROLE_ADMINISTRATOR" /> <security:intercept-url pattern="/rest_v2/queryexecutions/**" access="ROLE_USER,ROLE_ADMINISTRATOR" /> <security:intercept-url pattern="/rest_v2/export/**" access="ROLE_SUPERUSER,ROLE_ADMINISTRATOR" /> <security:intercept-url pattern="/rest_v2/import/**" access="ROLE_SUPERUSER,ROLE_ADMINISTRATOR" /> <security:intercept-url pattern="/rest_v2/hypermedia/**" access="ROLE_USER,ROLE_ADMINISTRATOR" /> <security:intercept-url pattern="/rest_v2/metadata/**" access="ROLE_USER,ROLE_ADMINISTRATOR" /> <security:intercept-url pattern="/rest_v2/dashboardExecutions/**" access="ROLE_USER,ROLE_ADMINISTRATOR" /> <security:intercept-url pattern="/rest_v2/diagnostic/**" access="ROLE_SUPERUSER" /> </security:filter-security-metadata-source>[/code]
For some reason, in v.7.1.0 pattern to allow ROLE_USER users access to call queryExecutor has been removed:
<security:intercept-url pattern="/rest_v2/queryexecutor/**" access="ROLE_USER,ROLE_ADMINISTRATOR" />[/code]
In order to make REST API work as in v.6.1, the pattern should be manually added to the config file.
Server restart required.
AS-20190320, case #01639277
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now