3 Replies Latest reply on Mar 30, 2006 2:55 PM by jbpmndc

    Authentication to jBPM

    Juha Särkinen Newbie


      we are trying to implement authentication mechanism to jBPM. Could anyone point out where to start? (configuring web.xml? overwriting jbpm authenticator-class?)

      At the moment we are exploring the possibility to use external security frameworks (like jGuard, Seraph, Acegi...) and use their authentication features.

      This post is related to Metheora -university student project.

        • 1. Re: Authentication to jBPM
          Koen Aers Master

          You can use all those frameworks. jBPM does not rely on any authentication framework in particular. Make the authenticated user known to jBPM after the authentication using the JbpmContext.setActorId() method.


          • 2. Re: Authentication to jBPM
            Michael Holtzman Newbie

            I am doing that (settng the authenticated user id with JbpmContext.setActorId())

            However, when I pull the logs, the actorId field is always null. I've combed through the source, and I don't see anyway to record the current authenticated actor in the log record (i.e., ProcessLog).

            For example, I need the log to reflect the user who (for example) completed a task instance, started a process instance, etc.

            Thanx for any help.

            • 3. Re: Authentication to jBPM
              jbpmndc Newbie

              I've thought about authentication and authorization.

              It seems you can usually protect the system using authentication module for the existing application (e.g. JAAS, ACEGI). But, if you are developing a highly sensitive system, you may want to add an additional layer of security. With the additional layer, if someone can connect to the system and has processId's (highly unlikely), you can prevent the system from unauthorized activity.

              In general, it seems you don't need the authentication and authorization that comes with jbpm. My 2 cents.