2 Replies Latest reply on Jun 23, 2014 9:25 AM by Marc Boorshtein

    How Does a human task know who I am?

    Marc Boorshtein Newbie

      I've gotten SSO working with the JBPM 6.0.1 demo and am trying to get a better understanding of the authorization model.  From the workbench, everything works great.  JBPM and JBoss are configured with a custom login module/valve combination that provides JBPM with the user's login and roles.  This is done currently without any kind of persistent storage (ie there's no LDAP directory storing the information that JBoss is reading from).  Everything is done purely through the login module and the roles returned by the login module for the user.


      Here's my question: How does JBPM *know* i'm a member of the group assigned to the task?  If I'm using the console it makes sense that its calling request.isUserInRoles() but what about web services?  How does it know?  Does the web service do the same thing, meaning that an iteration must be called with the context of the user acting on the web service? 


      In doing my research I haven't found much in the way of explaining how this is done.  In the 5.x world it seems there was a concept of a UserGroupCallback that would look users and their roles up but there isn't much documentation on this in 6.x.  I see there's a org.kie.api.task.UserGroupCallback interface and when I do a grep for UserGroup callback in the jbpm-console.war I find a JBossImpl that looks at the default property files but theres no mention of an LDAP implementation or how to configure this.