3 Replies Latest reply on May 23, 2005 9:02 AM by Scott Stark

    jbpm process security

    Tom Baeyens Master

      could i do something usefull with security in jBPM ? this is a philisophical jBPM question rather then a jboss question, but i would appreciate the opinion of the jboss experts on this.

      authentication: this is outside the scope of jBPM to do the authentication. the environment needs to do the authentication and pass the authenticated user information to jBPM. passing that information can be done via the jBPM API.

      authorization: there are definitely process related authorization constraints. E.g. the 'payraise process' can only be started by 'managers'. But jBPM can never include a generic mechanism for authorization constraints because
      1) the organisation model is different in every organisation (it's pluggable in jBPM)
      2) the authorization rules are expressed in terms of the organisation model
      3) the authorization rules themselves are also different from organisation to organisation.

      So we cannot include authorization into jBPM unless we freeze the organisation model and the format for authorization rules. that does not seem like a good idea to me.

      any advice or twist of mind is welcome.

      regards, tom.

        • 1. Re: jbpm process security
          Scott Stark Master

          Give some specific examples of more complicated authorization rules. Your choices are:

          1. If the rules can be decomposed into a user having a set of roles, the existing JAAS mechanism can be used.
          2. If the rules require more logic, but can be expressed using custom java.security.Permission objects, you can use the java.security.Policy mechanism to assign permissions to users and test the permissions using the Policy.implies check similar to how JACC works.
          3. If the permission rules just don't fit Permissions, we need a new security service that layers on top of the others and employs a rules engine to help with the permissions evaluations.

          • 2. Re: jbpm process security
            Tom Baeyens Master

            you summarized the exact 3 options that i have thought about. but I couldn't see them clearly distinct.

            i don't want jBPM to be tied to only *one* of those mechansims.

            maybe we can so the following to support all of them:

            1) user-roles-JAAS:

            // somewhere in the jbpm code
            if (user-roles-jaas-security-is-configured-in-jbpm) {
             // how to check if the current user is in role r ?
             Subject.getSubject(...) --> org.jboss...RolesPrincipal or something like that
            
             or should that be done via the SecurityAssociation somehow ?
            }

            2) permission security

            // somewhere in the jbpm code
            if (permission-security-is-configured-in-jbpm) {
             AccessController.checkPermission( new ViewTaskPermission(...) );
            }

            3) if users want to do things not in line with the previous 2 approaches, they are on their own...

            regards, tom.

            • 3. Re: jbpm process security
              Scott Stark Master

              What is needed is an equivalent of the ejb/web container interceptor that can be configurated as part of the workflow so that the security implementation is a pluggable aspect of the workflow. Ultimately the jbpm layer should be able to take advantage of the security aspects from the unified jboss5 implementation.