13 Replies Latest reply on Oct 17, 2005 3:00 AM by T T

    Security with jBPM identity package & JAAS

    Gerhard Wittwer Newbie

      Hello

      I have to use jBPM for my diploma thesis. I'm developing a tool, which transforms the ARIS notation (EPC) to jPDL 3.0.

      Now I'm thinking about the security of the AS / Workflow-Engine. I read, that the identity package of jBPM 3.0 is in alpha stage.
      I would like to use JAAS for the security and "bind" the JAAS to jBPM.
      As I read, it is possible with the properties jbpm.authentication and jbpm. authorization. I have to implement my own Authenticator and Authorizer and map them with the properties.

      Questions:
      1. Is it "best practices" of J2EE and jBPM philosophy to do this like that?
      2. Should I use the identity tables / classes of jBPM for JAAS (JBPM_ID...)?
      3. Do I need the JBossAuthenticator in that case? What's about JBossAuthorizer?
      4. If I would like to do some Webservices on the JBoss AS which use the same JAAS stuff is it better to create own tables and how could jBPM then get the actorID / User / Group / Membership?In this case, do I have to implement an AssignmentExpression class?
      5. Does anyone have an example or an open source Webapp which is using the identity package of jBPM 3.0 combined with JAAS?

      The thesis thanks for your help!! :-)

      Best regards
      Gerard

        • 1. Re: Security with jBPM identity package & JAAS
          Ronald van Kuijk Master

           

          "gwittwer" wrote:
          I have to use jBPM for my diploma thesis. I'm developing a tool, which transforms the ARIS notation (EPC) to jPDL 3.0.


          Good luck, and we are interested in the result.

          "gwittwer" wrote:

          Now I'm thinking about the security of the AS / Workflow-Engine. I read, that the identity package of jBPM 3.0 is in alpha stage.


          It is, but it is not 'required'. It is an addition so the webapp can do something with 'users' and to have an assignment handler which has some functionality

          "gwittwer" wrote:


          I would like to use JAAS for the security and "bind" the JAAS to jBPM.
          As I read, it is possible with the properties jbpm.authentication and jbpm. authorization. I have to implement my own Authenticator and Authorizer and map them with the properties.



          I have to admit I did not work with this part yet. So I cannot comment on this part.

          "gwittwer" wrote:


          Questions:
          1. Is it "best practices" of J2EE and jBPM philosophy to do this like that?
          2. Should I use the identity tables / classes of jBPM for JAAS (JBPM_ID...)?



          If you want to. We (the company I work for) do not use them. We use our own usernamanagement system (in an ldap server)

          "gwittwer" wrote:


          3. Do I need the JBossAuthenticator in that case? What's about JBossAuthorizer?
          Depends on how far you want to go. I did not use the authorizer (yet) and the authenticator I only use in a slightly adapted loginfilter which takes the actorID from the request.getUserPrincipal() and pushes/pops it .
          "gwittwer" wrote:


          4. If I would like to do some Webservices on the JBoss AS which use the same JAAS stuff is it better to create own tables and how could jBPM then get the actorID / User / Group / Membership?In this case, do I have to implement an AssignmentExpression class?



          Again, I cannot give you a definite answer. The jBPM user/group etc is an alpha release. You can use the same JAAS stuff and connect this to your own usermanagement system.

          "gwittwer" wrote:



          5. Does anyone have an example or an open source Webapp which is using the identity package of jBPM 3.0 combined with JAAS?



          I've adapted the loginfilter to not use the JBoss identity module, but use the container security, which in turn is JAAS based.

          "gwittwer" wrote:


          The thesis thanks for your help!! :-)



          I can imagine that I've not been of real help, but the identity module is not a 'required' module for jBPM to work, hence the separate module.

          • 2. Re: Security with jBPM identity package & JAAS
            Gerhard Wittwer Newbie

            Hello Ronald

            Thank you for the answers!

            "kukeltje" wrote:

            Good luck, and we are interested in the result.

            The results are published on http://aibp.dyndns.org. Language is German, because I'm living in Switzerland :)

            I think, I will "refactor" the jbpm.identity module and change it to the requirements for the thesis (I don't need memberships, just users and groups, and no parent groups). I will change the Default AssignmentHandler of jBPM to my own (or do this in the proessdefinition).

            Is there a relation between Swimlanes and User/Group of jbpm.identity?
            My question is, how can I map this relation for the following scenario:

            I have several users in my AIBP_USER table and several groups in my AIBP_GROUP table. There is a mapping table AIBP_USERGROUP (like membership of jbpm.identity).

            On my webapp the user logs in with username/password (saved in AIBP_USER). Then I would like to give him/her the possibility to view all processes, which are assigned to the User ( -> "user(XYZ)") or to view all processes of the group, where he / she belongs to ( -> "group(XYZ)").

            Do you have any inputs how to handle this mapping from authentication (LoginForm.jsp) to authorisation (set the logged-in swimlane/actorID)?

            Thank you for helping me!

            Regards
            Gerhard




            • 3. Re: Security with jBPM identity package & JAAS
              Ronald van Kuijk Master

               

              "kukeltje" wrote:

              Good luck, and we are interested in the result.
              "gwittwer" wrote:

              The results are published on http://aibp.dyndns.org. Language is German, because I'm living in Switzerland :)


              No problem, German is one of the four languages I speak (well, 3, my french has gotten so bad that I can only read it.)
              "gwittwer" wrote:

              I think, I will "refactor" the jbpm.identity module and change it to the requirements for the thesis (I don't need memberships, just users and groups, and no parent groups).

              Good idea. I wanted to do something like that as well. Until I thought of just subclassing the epressionhandler
              "gwittwer" wrote:

              I will change the Default AssignmentHandler of jBPM to my own (or do this in the proessdefinition).

              If it is a common one, I'd try to change the default assignmenthandler. Don't know if that is configurable. If it isn't please file a jira issue for that. Sounds like a good enhancement
              "gwittwer" wrote:

              Is there a relation between Swimlanes and User/Group of jbpm.identity?

              Not realy. The loginpages takes the users from jbpm.identity and the default assignmenthandler uses it
              "gwittwer" wrote:

              My question is, how can I map this relation for the following scenario:

              I have several users in my AIBP_USER table and several groups in my AIBP_GROUP table. There is a mapping table AIBP_USERGROUP (like membership of jbpm.identity).

              On my webapp the user logs in with username/password (saved in AIBP_USER). Then I would like to give him/her the possibility to view all processes, which are assigned to the User ( -> "user(XYZ)") or to view all processes of the group, where he / she belongs to ( -> "group(XYZ)").

              Do you have any inputs how to handle this mapping from authentication (LoginForm.jsp) to authorisation (set the logged-in swimlane/actorID)?

              Yes, I myself do not use the login page, but adapted the LoginHandler to take the user either from the request.getUserPrincipal, a special http header, set by the frontend webserver in the DMZ or a special parameter that I use the for 'semi anonymous users' who have to participate in a process. The code I use for this is shown below. It is 'alpha' quality since I have not written tests for it
              "gwittwer" wrote:

              Thank you for helping me!


              Anytime.

               String actorId = (request.getUserPrincipal() != null ? request.getUserPrincipal().getName() : request.getParameter("confirm"));
               if (actorId == null) {
               actorId = request.getHeader("HTTP_PROXY_USER");
               }
               UserBean userBean = (UserBean) request.getSession().getAttribute("userBean");
               if (userBean == null) {
               userBean = new UserBean();
               userBean.setUserName(actorId);
               request.getSession().setAttribute("userBean", userBean);
               } else if (userBean.getUserName() == null) {
               userBean.setUserName(actorId);
               request.getSession().setAttribute("userBean", userBean);
               } else {
               actorId = userBean.getUserName();
               }
              
               if (logger.isDebugEnabled()) {
               logger.debug("doFilter() - userPrincipal = " + actorId);
               }


              • 4. Re: Security with jBPM identity package & JAAS
                T T Newbie

                I've also implemented security around JBPM, but mainly based on the excellent work of Matunda Nyanchama and Sylvia Osborn in their article "The role graph model and conflict of Interest" from the university of western ontario.

                I introduced groups, users and roles. Where roles are collections of Permissions (in JAAS terminology) and Users extend Groups and Groups have both direct and indirect Groups and Roles. The roles are maintained in a rolegraph (that can be checked for cyclicy and so on) and the groups/roles are maintained in a groupgraph.


                btw, Hoi Kukeltje, werk jij voor de UU?

                • 5. Re: Security with jBPM identity package & JAAS
                  T T Newbie

                  Oh btw, I added an issue to JIRA requesting the usage of Interfaces for the Sessions (GraphSession, ContextSession) and so on, because this allows much easier usage of the Proxy pattern to protect access to individual methods.

                  • 6. Re: Security with jBPM identity package & JAAS
                    Ronald van Kuijk Master

                    The T,

                    [sorry for the others, something in Dutch]
                    Nee, ik werk voor een bedrijf is Zeist. Noem hier in dit forum liever niet de naam vanwege de staffware/jbpm zaken. Stuur ff een mailtje aan ronald (@) jbpm (dot) org en je krijgt wat meer details.

                    • 7. Re: Security with jBPM identity package & JAAS
                      Ronald van Kuijk Master

                      Gerhard,

                      I've partly read the docs, and volunteer to participate, as a consumer, in task 35 in the projectplan.

                      What do you think? :-)

                      • 8. Re: Security with jBPM identity package & JAAS
                        Gerhard Wittwer Newbie

                         

                        "The_T" wrote:
                        I've also implemented security around JBPM, but mainly based on the excellent work of Matunda Nyanchama and Sylvia Osborn in their article "The role graph model and conflict of Interest" from the university of western ontario.

                        I introduced groups, users and roles. Where roles are collections of Permissions (in JAAS terminology) and Users extend Groups and Groups have both direct and indirect Groups and Roles. The roles are maintained in a rolegraph (that can be checked for cyclicy and so on) and the groups/roles are maintained in a groupgraph.


                        btw, Hoi Kukeltje, werk jij voor de UU?


                        Hey T

                        Thanks for your post and the hint with the article. I will search this article and study it (or do you have a link / pdf?).

                        Another question is about your implementation. Do you share your code of the security around jbpm?

                        Thanks anyway for your help!!

                        Regards
                        The unknowing student :)

                        • 9. Re: Security with jBPM identity package & JAAS
                          Gerhard Wittwer Newbie

                           

                          "kukeltje" wrote:
                          Gerhard,

                          I've partly read the docs, and volunteer to participate, as a consumer, in task 35 in the projectplan.

                          What do you think? :-)



                          :) You're welcome! (but only if your support will be that great until to the end of the year ;-) -> do we have a task 35 in the projectplan? :-)

                          What you think about the project?
                          Btw, thanks for the sample code!

                          Regards
                          Gerhard

                          • 10. Re: Security with jBPM identity package & JAAS
                            Ronald van Kuijk Master

                            Support -> Yes, unless you ask stupid questions.... then I by accident miss that post :-)

                            About the project. It's nice to see people implement 'converters' for commercial designers on the business level. People tend to think of opensource stuff as technical tools, but commercial bpm engines often also lack a business level designer like ARIS and the likes.

                            I don't know if you've seen something of the GPD, but it would be nice if the resulting process-definition.xml would be accompanied by a gpd.xml. Then the process would be visible in the jBPM GPD and it would be easier to continue on it from a more techical level.

                            That's currently all I can say about the project, since I've not read the details yet.

                            • 11. Re: Security with jBPM identity package & JAAS
                              T T Newbie

                               

                              "gwittwer" wrote:
                              Another question is about your implementation. Do you share your code of the security around jbpm?

                              Thanks anyway for your help!!

                              Regards
                              The unknowing student :)

                              Hehe, I am also a student and my report will be in Dutch, so I am afraid it will not be of much use to you. Do keep in mind that this rolegraph model is quite complicated and might be overkill for your situation. I believe I downloaded the pdf via the search engines available from the library at the University.
                              Perhaps this is usefull to you:

                              ACM Transactions on Information and System Security, Vol. 2, No. 1, February 1999, Pages 3-33

                              I think I cannot just share the source, as I programmed for a company and they would lose the advantage.

                              • 12. Re: Security with jBPM identity package & JAAS
                                Ronald van Kuijk Master

                                The_T,

                                will the report be published online?

                                • 13. Re: Security with jBPM identity package & JAAS
                                  T T Newbie

                                   

                                  "kukeltje" wrote:
                                  The_T,

                                  will the report be published online?

                                  I will look into it, but I guess that's not a problem :)