correct, the authorizationservice is non functional atm.... You need to check those in your own application layer if you want to
Thank you for your reply Ronald, I am surprised to see authorization is not implemented in jBPM. We're not using the web front end for task management so we'll have an API that will be called passing in a Process Instance Id and userid to signal the token to move onwards. Is there another way to prevent unauthorized users from executing task they're not authorized to. I think we need to implement authorization at the jBPM layer because we need to prevent the following scenario.
User A (employee) creates a purchase order (Task 1)
User B (another employee at same level as user A, User A NOT allowed) to check purchase order (Task 2)
User C (manager) approves the purchase order (Task 3)
We are planning on assigning swimlanes to each of these tasks. Then we'll use the expression assignment handler to work out that User A or B can do Task 1, and Task 2 can't be carried out by same user a Task 1. Then Task 3 will have another swimlane (Manager). I've seen the documentation on the expression assignment handler syntax, is there any worked examples to view?
How would you recommend we implement this?
well if you don't have a web front end for your application (and you directly managed your process via processId) you still could shield your JBPM DAO with an EJB that manages the authorization process.
Otherwise you could perform authorization check inside the AssignMent handler eventually throwing an Exception if not authorized but in my opinion that's not the best choice......