2 Replies Latest reply on Apr 17, 2006 7:27 AM by kukeltje

    custom authenticaton service issue

    kukeltje
    kukeltje Apr 16, 2006 5:52 PM

      I'm looking at implementing a custom authentication service that accepts saml tickets or kerberos or whatever so authentication can be passed on to jBPM from other external systems.

      In jbpm.cfg.xml the authenticator can be configured. I've seen however that JbpmContext from cvs head contains the following code

       /**
 * sets the currently authenticated actorId.
 * @throws ClassCastException if another authentication service is configured then the default.
 */
 public void setActorId(String actorId) {
 DefaultAuthenticationService authenticationService =
 (DefaultAuthenticationService) services.getAuthenticationService();
 DefaultAuthenticationService defaultAuthenticationService =
 (DefaultAuthenticationService) authenticationService;
 defaultAuthenticationService.setActorId(actorId);
 }


      This code looks kind of strange to me. Any reason the code is like it is (e.g. just not finished)

      It is kind of important to have at least this part configurable, and the 3.2 docs say the default authentication service is the only one finished, but mechanisms to plugin your own are in place. Seeing the code above I have my doubts, but will at least try in a few hours.



      Ok, a few hours have been reduced to a few minutes. I copied the DefaultAuthenticatonService and Factory to MyDefault.... and ran the tests. I indeed get a ClassCastException as the code above mentiones. I can try to solve this by using interfaces

      Something like 

       /**
 * sets the currently authenticated actorId.
 */
 public void setActorId(String actorId) {
 AuthenticationService authenticationService =
 services.getAuthenticationService();
 authenticationService.setActorId(actorId);
 }


      but the interface AuthenticationService needs a setActorId(String actorId) then.

      Since I do not know that the direction is this code should go to I'm seeking advice. Is thes setActorId only needed for jBPM internal testing? I hope not , since I'd like to be able to run the full jBPM unit tests with all service configured like I'd use them in production as well.

      Ronald

      • 1435 Views
      • Tags:
        • 1. Re: custom authenticaton service issue
          tom.baeyens
          tom.baeyens Apr 17, 2006 7:12 AM (in response to kukeltje)

          authentication service implementation should tell jbpm code what the current users is.

          the default implementation does this based on a thread local stack. the default implementation expects that the user sets the current user. The jbpmContext.setActorId(...) is a convenience method to do this.

          jbpm only needs to know the current actor id. how do you want to connect this to the saml or kerberos tickets ?

            • Actions
          • 2. Re: custom authenticaton service issue
            kukeltje
            kukeltje Apr 17, 2006 7:27 AM (in response to kukeltje)

            If jBPM is accessed remotely by another system (e.g. our web front-end or messaging system), it is often done on behalf of a certain user. To propagate these safely the messages are either signed with a certificate or contain a 'ticket'.

            These tickets or signed messages should/could fill the thread local stack. with just the userid extracted from the ticket or the complete ticket. In the latter case the authenticator should check the validity of the ticket. The result is the same, but using the ticket gives a little more thrust in the backend including the option to forward the ticket to additional system.

            I indeed thought the setActor was a convenience method, but it is kind of tightly related to the testcases and only available on the default authenticator

            I'll try to work something out in more detail and get back later.

            Ronald

              • Actions