We have a Spring based application deployed in Camunda BPM. We have exposed some REST services here using Camunda JAVA api. We did this for some specific requirements where we did not have a Camunda REST api available. These custom REST services are running without authentication & authorization. I am able to create/complete/delete processes & tasks through these services without authenticating a valid user. I want to know how to force the Camunda Java apis to look for an authenticated user before executing. I am using Camunda BPM 7.3.
3
votes
1 Answers
4
votes
I found the answer. The authentication in this case is in our hands. We have to authenticate user any way we want and then set the authenticated userId in identityService. If the authenticated user is null then authroization check is also skipped. Hence my code was working without authentication.
Check the following code in AuthorizationManager class -
public void checkAuthorization(List<PermissionCheck> permissionChecks) {
Authentication currentAuthentication = getCurrentAuthentication();
CommandContext commandContext = getCommandContext();
if(isAuthorizationEnabled() && currentAuthentication != null && commandContext.isAuthorizationCheckEnabled()) {
String userId = currentAuthentication.getUserId();
boolean isAuthorized = isAuthorized(userId, currentAuthentication.getGroupIds(), permissionChecks);
...........
.......
As is evident from the IF condition, if the currentAuthentication is null the isAuthroized() method won't be called.
Another thing to remember is in bpm-platform.xml where we have defined the ProcessEngineConfiguration we need to set authorizationEnabled property as true.
