Hi,
We are using the process engine embedded in a spring boot application, and are starting to add method-level authorization annotations (e.g., @PreAuthorize) to our service layers.
My questions:
- If an end user submits a task, and there is no “async after” configured in the process definition, will spring’s security context be propagated to any service task/listener/… that occurs after the user task (until another wait state is encountered, of course)?
- For a user task with an “async after”, are output parameters and end listeners part of the task submit? Will they be executed within the security context of the original user?
- If there is an “async after”, and the job executor kicks in, is it possible to inject a security context, such that service tasks/listeners can invoke secured methods?
- Is there any documentation, examples, best practices, etc. on combining the Camunda process engine with Spring security?
Note that I am not asking about integrating the webapps (cockpit, tasklist) with spring security or implementing a custom IdentityProvider.
Thanks
Hi @stijn.timbermont,
In Camunda you have to call identityService.setAuthenticatedUserId()
to set the userId for the executed command. Then the user task will be saved with the userid in the history. I havn’t used spring security with the annotation, my experience come from this example: https://github.com/camunda-consulting/code/tree/master/snippets/springboot-rest-api-basic-auth.
The userid is stored in a threadLocal variable which is removed with the commit in the database. If there is an async after, a different thread without user authenication will pick up and execute the work for the following tasks. You can find the borders of the async after (and before) here: https://docs.camunda.org/manual/7.9/user-guide/process-engine/transactions-in-processes/#understand-asynchronous-continuations. Output parameters and end listeners are part of the service execution and the state will be persistet afterwards.
Here is a repository, that implements single sign on with the help of spring security: https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso. Maybe it’s a useful inspiration.
Hope this helps, Ingo