How to replace the AuthorizationService?


how can I replace the authorization service used by the engine? My goal is to implement some custom logics when deciding whether the permission is granted. If the custom logics can’t decide I’d fall back to the “standard” service. But I could not find a setter for the auth service.

Thank you for any hints!

You can override the service in the ProcessEngineConfigurationImpl. See creating a camunda plugin and modify on the pre-init()

How can one do this? I didn’t find a setter for this field. In order to change its value, a derived class must be created or reflection be used.

you would need to override the authorizationManager. Its part of the SessionManager. It is not a small task. There is lots of “internal” code mix in. It would likely be easier for you to build wrappers around camunda’s api that implement your controls

I’d like to use the custom auth service within the camunda GUI. I think it’s tightly integrated into it. Hence I need really the auth service and not a wrapper. But thank you for the hint about the authorizationManager.

here is a example with shrio:

Know that camunda ~“hardcode” the authoeization logic at the database level. So many of the authorization checks are done with SQL: Example: In the Query APIs authorization is done on the items being queried, but these are not auth checked at the app level, they are run through a ~complex sql lookup / filtering. There was lots of variation of code with little code comments explaining the logic flow. So the authorization logic on a command is different than the authorization logic that occurs during a query.

For now I just set the fields via reflection. Not very nice, but it works.

UPD: I was too quick. It works, but not everywhere well. I have to polish that.