Question
TCS
GB
Last activity: 13 Jun 2018 12:52 EDT
Authentication modification permitted via privileged path only - invalid caller
Hi PSC team..
we are having an issue with our application that is on Pega 7.2.2 + SI 7.11. This service is re-usable one and multiple business process/apps can use it and we are just one of the business process/.application to use it.
Pega application is hosting a service which takes request from upstream system and creates a case. its a soap integration.
Pega service package has the authentication disabled. also on the incoming soap request header, we don't get the user id and password that can be used to authenticate the incoming request.
Rather we get a value in a soap request called process type, based on which our service activity will identify the model operator that ahs to be used for the authentication & case creation context. once we identify the model operator, we use the below code :
com.pega.pegarules.pub.context.PRAuthentication auth = pega.getAuthenticationHandle();
auth.setUserSecurityProfile(pega, UserID);
on doing so we get the error -
2018-06-01 12:00:07,515 [ WebContainer : 14] [ STANDARD] [ ] [ Group:01.01.01] (.authentication.Authentication) ERROR zzzzzzz.machine.test.group|10.xx.xx.xxx|SOAP|GenericDocMgmtServicePackage|Services|GenericNotify|AD035BDF87C5717896BD43D453D68CF78 - Authentication modification permitted via privileged path only - invalid caller: RULE-OBJ-ACTIVITY GROUP-INT-DOCMGMT GENERICNOTIFY #20180531T074219.949 GMT
Hi PSC team..
we are having an issue with our application that is on Pega 7.2.2 + SI 7.11. This service is re-usable one and multiple business process/apps can use it and we are just one of the business process/.application to use it.
Pega application is hosting a service which takes request from upstream system and creates a case. its a soap integration.
Pega service package has the authentication disabled. also on the incoming soap request header, we don't get the user id and password that can be used to authenticate the incoming request.
Rather we get a value in a soap request called process type, based on which our service activity will identify the model operator that ahs to be used for the authentication & case creation context. once we identify the model operator, we use the below code :
com.pega.pegarules.pub.context.PRAuthentication auth = pega.getAuthenticationHandle();
auth.setUserSecurityProfile(pega, UserID);
on doing so we get the error -
2018-06-01 12:00:07,515 [ WebContainer : 14] [ STANDARD] [ ] [ Group:01.01.01] (.authentication.Authentication) ERROR zzzzzzz.machine.test.group|10.xx.xx.xxx|SOAP|GenericDocMgmtServicePackage|Services|GenericNotify|AD035BDF87C5717896BD43D453D68CF78 - Authentication modification permitted via privileged path only - invalid caller: RULE-OBJ-ACTIVITY GROUP-INT-DOCMGMT GENERICNOTIFY #20180531T074219.949 GMT
GROUP-INT-DOCMGMT GENERICNOTIFY - this is our service activity. From this activity we call our custom code - SwitchOperatorForGS() with applies t o class of Code-Security.
on our service activity, the Require authentication to run is un checked and Allow direct invocation from the client or a service is checked.
In this activity, we set the value for UserID (based on our business process model operator id) and invoke below steps:
com.pega.pegarules.pub.context.PRAuthentication auth = pega.getAuthenticationHandle();
auth.setUserSecurityProfile(pega, UserID);
is this a kind of known issue?
have attached the entire error stack trace for reference.
Pegasystems Inc.
IN
Which Pega version you’re in ?
I found below existing articles you might want to go through this
https://community.pega.com/support/support-articles/custom-authentication-soap-service
https://community.pega.com/support/support-articles/unable-schedule-aut-test-suite
https://community.pega.com/support/support-articles/authentication-error-causes-broken-queue-items
Thanks,
Arun
TCS
GB
we are using Pega 7.2.2
Thanks for your response and providing the articles. But those articles are quite different.
also the same scenario/code working fine on a lower version of Pega which is 6.2 sp2.
I have gone over the implementation of com.pega.pegarules.session.internal.mgmt.authentication.Authentication which is throwing the error and notice below code on the Pega prprivate.jar.
if ((gSecureMethods == 1) || (aForceExternal))
{
IExecutable prevExecutable = theExecutable;
while ((theExecutable != null) && (theExecutable.getCaller() != null))
{
prevExecutable = theExecutable;
activityClassName = theExecutable.getActivityClassName();
if ((activityClassName == null) || (!(activityClassName.startsWith("RULE-OBJ-ACTIVITY CODE-SECURITY ")))) {
oLog.error("Authentication modification permitted via privileged path only - invalid caller: " + activityClassName);
throw new PRSecurityException("Invalid request");
}
theExecutable = theExecutable.getCaller();
}
would like to understand why we are getting the error because we have a service activity that is on Int layer and from there we call our custom activity - SwitchOperatorForGS that is on Code-Security and from there we invoke the Pega OOTB- setUserSecurityProfile via below code:
we are using Pega 7.2.2
Thanks for your response and providing the articles. But those articles are quite different.
also the same scenario/code working fine on a lower version of Pega which is 6.2 sp2.
I have gone over the implementation of com.pega.pegarules.session.internal.mgmt.authentication.Authentication which is throwing the error and notice below code on the Pega prprivate.jar.
if ((gSecureMethods == 1) || (aForceExternal))
{
IExecutable prevExecutable = theExecutable;
while ((theExecutable != null) && (theExecutable.getCaller() != null))
{
prevExecutable = theExecutable;
activityClassName = theExecutable.getActivityClassName();
if ((activityClassName == null) || (!(activityClassName.startsWith("RULE-OBJ-ACTIVITY CODE-SECURITY ")))) {
oLog.error("Authentication modification permitted via privileged path only - invalid caller: " + activityClassName);
throw new PRSecurityException("Invalid request");
}
theExecutable = theExecutable.getCaller();
}
would like to understand why we are getting the error because we have a service activity that is on Int layer and from there we call our custom activity - SwitchOperatorForGS that is on Code-Security and from there we invoke the Pega OOTB- setUserSecurityProfile via below code:
com.pega.pegarules.pub.context.PRAuthentication auth = pega.getAuthenticationHandle();
oLog.error("SwitchOperatorForGS - auth: " + auth );
auth.setUserSecurityProfile(pega, UserID);
TCS
GB
we are using Pega 7.2.2
Thanks for your response and providing the articles. But those articles are quite different.
also the same scenario/code working fine on a lower version of Pega which is 6.2 sp2.
I have gone over the implementation of com.pega.pegarules.session.internal.mgmt.authentication.Authentication which is throwing the error and notice below code on the Pega prprivate.jar.
if ((gSecureMethods == 1) || (aForceExternal))
{
IExecutable prevExecutable = theExecutable;
while ((theExecutable != null) && (theExecutable.getCaller() != null))
{
prevExecutable = theExecutable;
activityClassName = theExecutable.getActivityClassName();
if ((activityClassName == null) || (!(activityClassName.startsWith("RULE-OBJ-ACTIVITY CODE-SECURITY ")))) {
oLog.error("Authentication modification permitted via privileged path only - invalid caller: " + activityClassName);
throw new PRSecurityException("Invalid request");
}
theExecutable = theExecutable.getCaller();
}
we are using Pega 7.2.2
Thanks for your response and providing the articles. But those articles are quite different.
also the same scenario/code working fine on a lower version of Pega which is 6.2 sp2.
I have gone over the implementation of com.pega.pegarules.session.internal.mgmt.authentication.Authentication which is throwing the error and notice below code on the Pega prprivate.jar.
if ((gSecureMethods == 1) || (aForceExternal))
{
IExecutable prevExecutable = theExecutable;
while ((theExecutable != null) && (theExecutable.getCaller() != null))
{
prevExecutable = theExecutable;
activityClassName = theExecutable.getActivityClassName();
if ((activityClassName == null) || (!(activityClassName.startsWith("RULE-OBJ-ACTIVITY CODE-SECURITY ")))) {
oLog.error("Authentication modification permitted via privileged path only - invalid caller: " + activityClassName);
throw new PRSecurityException("Invalid request");
}
theExecutable = theExecutable.getCaller();
}
would like to understand why we are getting the error because we have a service activity that is on Int layer and from there we call our custom activity - SwitchOperatorForGS that is on Code-Security and from there we invoke the Pega OOTB- setUserSecurityProfile via below code:
com.pega.pegarules.pub.context.PRAuthentication auth = pega.getAuthenticationHandle();
oLog.error("SwitchOperatorForGS - auth: " + auth );
auth.setUserSecurityProfile(pega, UserID);
Updated: 13 Jun 2018 11:36 EDT
Pegasystems Inc.
IN
Hello Pratheep,
Thanks for posting query in PSC.
This issue may need to debug, please raise the SR and share the SR number.
Regards,
Durga
