2 Replies Latest reply on Dec 17, 2014 9:49 AM by toja

    Access to REST API for any authenticated users

    toja
    toja Dec 16, 2014 5:38 AM

      Hi all,

       

      I'm using jbpm6.1 and I'm noticed that I have access to REST API with any authenticated user even if he has no jbpm role.

       

      Eg. I added to tomcat-users.xml (I'm using jbpm with tomcat7) user with single maganger-gui role and this user has access to jbpm REST API and he is able to get tasks via rest from jbpm.

       

      Has anyone idea how to limit access to REST API only for users with specified role, eg. user or admin?

       

      Thanks for help,

      Tomek

      • 428 Views
      • Categories: jBPM 6.0
      • Tags:
        • 1. Re: Access to REST API for any authenticated users
          swiderski.maciej
          swiderski.maciej Dec 17, 2014 1:26 AM (in response to toja)

          jbpm roles such as admin, analyst, user, developer and manager are only roles in the UI to restrict access to certain perspectives/views. Rest will require authentication and then will allow user to perform operations. Though task related operations are based on task assignment meaning only tasks assigned to given user will be available to that user.

           

          HTH

            • Actions
          • 2. Re: Access to REST API for any authenticated users
            toja
            toja Dec 17, 2014 9:49 AM (in response to swiderski.maciej)

            Correct, when I have user without any roles and with no task assigments  I am unable to claim tasks or process them, but I can still get all tasks list (using /rest/task/query) or send signal with /rest/runtime/.../execute

            Is it possible in jbpm to limit this actions only for users with specified role or I need to implement own filter?

              • Actions