Claim Task With InvalidUser

gumang · February 22, 2021, 8:39pm

Hi, i m using Camunda API for claiming task

It working for right user.
But when i send wrong user-id in payload. It doesnot throw error.

Atmesh_Agarwal1 · February 22, 2021, 8:40pm

I have observed this issue too…do share solution if you find any

Ingo_Richtsmeier · February 23, 2021, 1:17pm

Hi @gumang and @Atmesh_Agarwal1,

it is a matter of authorizations. It’s hard to define “wrong user”.

Checkout the possibilties by yourself here: Authorization Service | docs.camunda.org.

And be aware that the camunda-bpm-spring-boot-starter disables authorization checks by default.

Hope this helps, Ingo

gumang · February 23, 2021, 4:28pm

Hi @Ingo_Richtsmeier
Authorization is enabled.
But my problem is not authentication.
Its about the userId in payload. That userId doesnot exist in system.
For example:
Url: rest/task/100453/claim
Authentication: admin/admin
Payload: {“userId”:“sdfdsf”}

Admin here is valid user and have all privileges.
He/She assigns the task 100453 to sdfdsf. But there is no such user. I expect some message from camunda whether there is any such user

hassang · February 23, 2021, 6:16pm

Hi @gumang,

The core of the Camunda engine treats users , groups and tenants as simple text strings
https://camunda.com/best-practices/securing-camunda/#_understanding_strong_users_strong_strong_groups_strong_and_strong_tenants_strong

Validation of assignee existence could by implemented by a generic task listener to be triggered on assignment event.

identityService = delegateTask.getProcessEngineServices()
    .getIdentityService();
processEngine = Context.getProcessEngineConfiguration()
    .getProcessEngine();
engineConfiguration = processEngine.getProcessEngineConfiguration();

if (delegateTask.getAssignee() != null) {

    currentAuthentication = identityService.getCurrentAuthentication();

    try {

        identityService.clearAuthentication();

        // run without authorization checks
        assigneeEntity = identityService.createUserQuery()
            .userId(delegateTask.getAssignee()).singleResult();

    }
    finally {

        identityService.setAuthentication(currentAuthentication);
    }

    if (assigneeEntity == null) {

        throw new ProcessEngineException("Invalid assignee");
    }
}

gumang · February 24, 2021, 5:24am

Hi @hassang
Thanks for the solution. I will try it out and update here

gumang · March 4, 2021, 11:39am

@hassang Thanks, It worked
As a curious person and engineer, i dont understand why this is not implemented by camunda

system · January 30, 2024, 12:54pm