3 Replies Latest reply on Sep 5, 2008 5:47 AM by mark spencer

    Authorization in jBPM

    Phil OMalley Newbie

      Hi , I am working with jBPM v 3.2.3 with Spring Modules .9 (with Spring 2.5.2 and Hibernate 3.2.6) against a mySQL 5.1 DB. I can deploy Process Definitions and create Process Instances fine, However, it appears jBPM is not using any form Authorizaton. According to the manual I can use IdentityAuthorizationService to check a Tasks permission versus the actorid calling the task. Unfortunately this class is not implemented. Also, I'm wondering do I have to explicitly call this checkPermissions method of IdentityAuthorizationService each time I need to signal a token or is there a way of wiring the authorization up to the signalling process automatically?

      I've added the following service element to jbpm.cgf.xml:

      service name="authorization" factory="org.jbpm.security.authorization.IdentityAuthorizationServiceFactory"

      in the <jbpm-context> element.

      Many thanks for your time. Phil

        • 1. Re: Authorization in jBPM
          Ronald van Kuijk Master

          correct, the authorizationservice is non functional atm.... You need to check those in your own application layer if you want to

          • 2. Re: Authorization in jBPM
            Phil OMalley Newbie

            Thank you for your reply Ronald, I am surprised to see authorization is not implemented in jBPM. We're not using the web front end for task management so we'll have an API that will be called passing in a Process Instance Id and userid to signal the token to move onwards. Is there another way to prevent unauthorized users from executing task they're not authorized to. I think we need to implement authorization at the jBPM layer because we need to prevent the following scenario.
            User A (employee) creates a purchase order (Task 1)
            User B (another employee at same level as user A, User A NOT allowed) to check purchase order (Task 2)
            User C (manager) approves the purchase order (Task 3)

            We are planning on assigning swimlanes to each of these tasks. Then we'll use the expression assignment handler to work out that User A or B can do Task 1, and Task 2 can't be carried out by same user a Task 1. Then Task 3 will have another swimlane (Manager). I've seen the documentation on the expression assignment handler syntax, is there any worked examples to view?

            How would you recommend we implement this?
            Thanks, Phil

            • 3. Re: Authorization in jBPM
              mark spencer Newbie

              well if you don't have a web front end for your application (and you directly managed your process via processId) you still could shield your JBPM DAO with an EJB that manages the authorization process.
              Otherwise you could perform authorization check inside the AssignMent handler eventually throwing an Exception if not authorized but in my opinion that's not the best choice......