Camunda claim task via REST not checking user

Greetings,
I am trying out camunda community edition version 7.14 with tomcat distribution. I have integrated camunda with our ldap system. While validating claim task REST api noticed, a task can be assigned to a user who is invalid. The user didn’t exists in ldap system. Have enabled authorization, still claim task didn’t check whether user is valid or not. Below is property from bpm-platform.xml. Kindly advise if i am missing something.

Thanks
Rathina

@rathina_karthik Please refer this:

@aravindhrs Thank you for your response. Isn’t this a security issue at workflow layer? With claim task flexible to assign to any users even not exists. How can this be prevented?. Is there a way to implement the check - validate if user id exists in ldap before assigning task to a user or claim task. Kindly share any customization tried (if any).

Thanks
Rathina

Hi @rathina_karthik,

It depends which restrictions you expect from the underlying system. I have seen various requirements from different customers here. Some want more restrictions, others need more flexibilty.
If you assign a user task to an unexisting user, the task is not deleted. It just could not be found by anybody.

You can implement the logic in a task listener on the assignment event. Throw an exception, if the user didn’t exist.
Another option is handle this in the user interface. Provide a select box where only existing users can be selected.

Hope this helps, Ingo

1 Like

Hi @rathina_karthik,

I believe @Ingo_Richtsmeier gave a comprehensive answer.

If you are interested, you can find an example of a generic task listener to validate assignee existence in below post

Thank you @Ingo_Richtsmeier , @hassang for your response and direction.