3 Replies Latest reply on Mar 30, 2006 2:55 PM by jbpmndc

Authentication to jBPM

lymit Mar 30, 2006 5:00 AM

Hi,

we are trying to implement authentication mechanism to jBPM. Could anyone point out where to start? (configuring web.xml? overwriting jbpm authenticator-class?)

At the moment we are exploring the possibility to use external security frameworks (like jGuard, Seraph, Acegi...) and use their authentication features.

This post is related to Metheora -university student project.

1. Re: Authentication to jBPM

koen.aers Mar 30, 2006 1:28 PM (in response to lymit)

You can use all those frameworks. jBPM does not rely on any authentication framework in particular. Make the authenticated user known to jBPM after the authentication using the JbpmContext.setActorId() method.

Regards,
Koen
Actions
2. Re: Authentication to jBPM

michaelholtzman Mar 30, 2006 2:35 PM (in response to lymit)

I am doing that (settng the authenticated user id with JbpmContext.setActorId())

However, when I pull the logs, the actorId field is always null. I've combed through the source, and I don't see anyway to record the current authenticated actor in the log record (i.e., ProcessLog).

For example, I need the log to reflect the user who (for example) completed a task instance, started a process instance, etc.

Thanx for any help.
Actions
3. Re: Authentication to jBPM

jbpmndc Mar 30, 2006 2:55 PM (in response to lymit)

I've thought about authentication and authorization.

It seems you can usually protect the system using authentication module for the existing application (e.g. JAAS, ACEGI). But, if you are developing a highly sensitive system, you may want to add an additional layer of security. With the additional layer, if someone can connect to the system and has processId's (highly unlikely), you can prevent the system from unauthorized activity.

In general, it seems you don't need the authentication and authorization that comes with jbpm. My 2 cents.
Actions

Go to original post