1 Reply Latest reply on Sep 23, 2013 3:42 AM by Zahid Ahmed Prs

    Guvnor 5.5 REST API Authorization Not Working

    Zahid Ahmed Prs Newbie



      I have a centralized Guvnor5.5 environment where multiple applications access the Guvnor through rest api for their respective assets and BAs access Guvnor's WEB UI to create/modify process definitions. From Guvnor's WEB UI I can define "User and Permissions" and users accessing the web UI are accessing based on the permissions defined for them. E.g user A is permitted to modify Package A only so Guvnor's WEB interface is properly restricting the USER A and User A can only see Package A when he logs into Guvnor WEB UI.


      My PROBLEM is that when USER A accesses guvnor through Guvnor's REST Interface then USER A can upload/modify any asset in any package (Package A, Package B, Package....). How can I apply the User Permission setup on access through REST API.


      Using REST Interface I can access Package C with the user and password of User A. While USER A is only permitted to access Package A.

      I have 5 applications accessing single Guvnor for their assets. Each application is getting assets from its own Package (E.g application 1 --> Package A, application 2 --> Package B ...).


      I am using Guvnor's REST API for getting Task-Forms and also doing Import and Export of a package using REST API. (Doing Import/Export through REST interface as Guvnor imports or Exports only the complete repository. It is not importing exporting a single package.)


      Security Breach Case: If the application developer knows the names of other packages he can point the application to get assets of other applications. This causes security issue for us. Applications should access assets assigned to them in their package only. I need to setup user and permissions for access through REST interface on the basis of packages. Applications accessing Guvnor should be allowed only to access their respective package/assets/categories only.

        • 1. Re: Guvnor 5.5 REST API Authorization
          Zahid Ahmed Prs Newbie

          I have managed to implement Authorization on Rest interface and I need someone from the Guvnor team to give suggestion on my patch.mark.proctor salaboy21 geoffm74manstis

          I have written a resteasy interceptor and placed it in place of BasicAuthenticator.java in configs. When I receive call in preprocess.java I get the user authenticated, just the way being done in BasicAuthentication.java and then check if the user has access rights to perform action on the PACKAGE using ServiceSecurity.java class.


          I have tested it and its working fine. kindly suggest if there could be any issue init.

          1 of 1 people found this helpful