-
1. Re: Task assignment privileges
tom.baeyens May 13, 2009 5:20 AM (in response to heiko.braun)authorization is out of scope for GA. for now we can just let anyone reassign.
-
2. Re: Task assignment privileges
heiko.braun May 13, 2009 5:51 AM (in response to heiko.braun)I am not asking for the scope. I am asking for an explanation of the concepts in place and their relation to each other. Regardless if we put into GA or not.
-
3. Re: Task assignment privileges
tom.baeyens May 13, 2009 5:59 AM (in response to heiko.braun)i think that can depend on a lot of factors.
some determine this by static authorization role. e.g. if you are an 'manager' then you can do that.
in other scenarios it might depend on the identity component group membership. e.g. reassignment is only allowed within your team
i don't see a single way on how we'll be able to tell who is allowed to assign/reassign a task. so our strategy then is typically to make it pluggable.
pluggable authorization is already a part of the command based service methods. the idea is that an authorization interceptor would delegate to some custom configured AuthenticationSession like this:public class AuthorizationInterceptor extends Interceptor { public <T> T execute(Command<T> command) { Environment environment = Environment.getCurrent(); if (environment==null) { throw new JbpmException("no environment for verifying authorization"); } AuthorizationSession authorizationSession = environment.get(AuthorizationSession.class); if (authorizationSession==null) { throw new JbpmException("no AuthorizationSession in environment for verifying authorization"); } authorizationSession.checkPermission(command, environment); // if the authorization check succeeded, proceed return next.execute(command); } }
but i don't think we have a binding or documentation for this yet. don't think that is a priority.
does that answer your question ?