2 Replies Latest reply on Apr 17, 2006 7:27 AM by Ronald van Kuijk

    custom authenticaton service issue

    Ronald van Kuijk Master

      I'm looking at implementing a custom authentication service that accepts saml tickets or kerberos or whatever so authentication can be passed on to jBPM from other external systems.

      In jbpm.cfg.xml the authenticator can be configured. I've seen however that JbpmContext from cvs head contains the following code

       /**
       * sets the currently authenticated actorId.
       * @throws ClassCastException if another authentication service is configured then the default.
       */
       public void setActorId(String actorId) {
       DefaultAuthenticationService authenticationService =
       (DefaultAuthenticationService) services.getAuthenticationService();
       DefaultAuthenticationService defaultAuthenticationService =
       (DefaultAuthenticationService) authenticationService;
       defaultAuthenticationService.setActorId(actorId);
       }
      


      This code looks kind of strange to me. Any reason the code is like it is (e.g. just not finished)

      It is kind of important to have at least this part configurable, and the 3.2 docs say the default authentication service is the only one finished, but mechanisms to plugin your own are in place. Seeing the code above I have my doubts, but will at least try in a few hours.



      Ok, a few hours have been reduced to a few minutes. I copied the DefaultAuthenticatonService and Factory to MyDefault.... and ran the tests. I indeed get a ClassCastException as the code above mentiones. I can try to solve this by using interfaces

      Something like

       /**
       * sets the currently authenticated actorId.
       */
       public void setActorId(String actorId) {
       AuthenticationService authenticationService =
       services.getAuthenticationService();
       authenticationService.setActorId(actorId);
       }
      


      but the interface AuthenticationService needs a setActorId(String actorId) then.

      Since I do not know that the direction is this code should go to I'm seeking advice. Is thes setActorId only needed for jBPM internal testing? I hope not , since I'd like to be able to run the full jBPM unit tests with all service configured like I'd use them in production as well.

      Ronald

        • 1. Re: custom authenticaton service issue
          Tom Baeyens Master

          authentication service implementation should tell jbpm code what the current users is.

          the default implementation does this based on a thread local stack. the default implementation expects that the user sets the current user. The jbpmContext.setActorId(...) is a convenience method to do this.

          jbpm only needs to know the current actor id. how do you want to connect this to the saml or kerberos tickets ?

          • 2. Re: custom authenticaton service issue
            Ronald van Kuijk Master

            If jBPM is accessed remotely by another system (e.g. our web front-end or messaging system), it is often done on behalf of a certain user. To propagate these safely the messages are either signed with a certificate or contain a 'ticket'.

            These tickets or signed messages should/could fill the thread local stack. with just the userid extracted from the ticket or the complete ticket. In the latter case the authenticator should check the validity of the ticket. The result is the same, but using the ticket gives a little more thrust in the backend including the option to forward the ticket to additional system.

            I indeed thought the setActor was a convenience method, but it is kind of tightly related to the testcases and only available on the default authenticator

            I'll try to work something out in more detail and get back later.

            Ronald