Hi, I have been playing with authorization in camunda spring boot application with rest services and I have found out, that if I run claimTask operation with user, that has not enough rights to update task, the execution still passes without the problem.
I identified the cause of this.
In process engine configuration, there is method initCommandCheckers like this:
protected void initCommandCheckers() {
if (commandCheckers == null) {
commandCheckers = new ArrayList<CommandChecker>();
// add the default command checkers
commandCheckers.add(new TenantCommandChecker());
commandCheckers.add(new AuthorizationCommandChecker());
}
}
However, SpringBootProcessEnginePlugin sets the commandCheckers collection to empty arraylist by calling CamundaSpringBootUtil.init(…) method
public static SpringProcessEngineConfiguration init(SpringProcessEngineConfiguration configuration) {
if(configuration.getProcessEnginePlugins() == null) {
configuration.setProcessEnginePlugins(new ArrayList());
}
if(configuration.getBatchHandlers() == null) {
configuration.setBatchHandlers(new HashMap());
}
if(configuration.getBeans() == null) {
configuration.setBeans(new HashMap());
}
if(configuration.getCommandCheckers() == null) {
configuration.setCommandCheckers(new ArrayList());
}
if(configuration.getCustomPostBPMNParseListeners() == null) {
configuration.setCustomPostBPMNParseListeners(new ArrayList());
}
return configuration;
}
which results, that initCommandCheckers never adds the command checkers(including AuthorizationCommandCheccker) to the process engine.
I was able to get the authorization working correctly by manually adding the command checkers to the process engine configuration in custom process engine configuration.
public class OmnichannelProcessEngineConfiguration extends AbstractCamundaConfiguration {
@Override
public void preInit(SpringProcessEngineConfiguration processEngineConfiguration) {
super.preInit(processEngineConfiguration);
processEngineConfiguration.setCustomFormTypes(customFormTypes());
processEngineConfiguration.setCustomPostVariableSerializers(customPostVariableSerializers());
// processEngineConfiguration.setDefaultSerializationFormat("application/json");
processEngineConfiguration.setIdGenerator(new StrongUuidGenerator());
processEngineConfiguration.getCommandCheckers().add(new TenantCommandChecker());
processEngineConfiguration.getCommandCheckers().add(new AuthorizationCommandChecker());
;
}
private List<TypedValueSerializer> customPostVariableSerializers() {
List<TypedValueSerializer> customPostVariableSerializers = new ArrayList<>();
customPostVariableSerializers.add(new BigDecimalValueSerializer());
return customPostVariableSerializers;
}
private List<AbstractFormFieldType> customFormTypes() {
List<AbstractFormFieldType> customFormTypes = new ArrayList<>();
customFormTypes.add(new BigDecimalFormType());
return customFormTypes;
}
}
I’d like to ask, if such custom defining of command checkers is design feature or it is a bug. If it is a feature, is defining the command checkers in custom camunda engine configuration the correct way to do it?