topic Re: Authorization header - Activiti REST in Alfresco Forum

Authorization header - Activiti REST

sonalik — Thu, 11 May 2017 17:06:04 GMT

Hi Team,I have a query regarding Authorization header set for every Activiti-rest API call.As per the user guide, this header is mandatory for rest calls or we can pass unameass along with the url.Is there any way we can skip this and directly make the rest call by hitting the url without Authoriz

Re: Authorization header - Activiti REST

gdharley — Thu, 11 May 2017 19:25:26 GMT

You can easily disable the need for authorization by updating the Spring Security configuration.

If you are using Community Edition (e.g. 5.22.0) this is simply a matter of opening the following file:

activiti-webapp-rest2/src/main/java/org/activiti/rest/conf/SecurityConfiguration.java

Now change the following :

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
   .authenticationProvider(authenticationProvider())
   .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
   .csrf().disable()
   .authorizeRequests()
     .anyRequest().authenticated()
     .and()
   .httpBasic();
}

To:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
   .authenticationProvider(authenticationProvider())
   .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
   .csrf().disable()
   .authorizeRequests().anyRequest().permitAll();
}

If you are using Enterprise Edition, you will need to build your own activiti-app war using the embedded-example available in the product download page. Once you have your custom app, you can customize the security configuration the same way as above.

Hope this helps,
Greg

‌

Re: Authorization header - Activiti REST

sonalik — Mon, 15 May 2017 10:52:28 GMT

Thanks for the solution. It worked for me. But at the same time i am facing another issue related to "initiator".

I have created a process definition, where for start event i have set initiator. So when the Authorization header was set the initiator was automatically assigned to the user mentioned in header.

For example below is the sample json POST request to start a process:-

Authorization:kermit/kermit
{
"processDefinitionKey":"sample-process",
"businessKey":"sample123"
}

Here the initiator=kermit (automatically set)

But now when the header is not set, i am not able to set the initiator (or not able to start process using user)

{
"processDefinitionKey":"sample-process",
"businessKey":"sample123"
}

I tried setting "initiator" in the 2nd json call but the process started with blank START_USER_ID_ (DB column in act_hi_procinst table)

Can you please help which additional attribute is required in the JSON call in order to set the starter/initiator for a process instance?

Looking forward for your support as always.

Thanks,

Sonali

Re: Authorization header - Activiti REST

gdharley — Mon, 15 May 2017 16:13:10 GMT

Ok, so you have run across the downside of not requiring authorization.

The createProcessInstance method (used to start an instance) takes the "initiator" from the Activiti Authentication provider.

String authenticatedUserId = Authentication.getAuthenticatedUserId();
String initiatorVariableName = (String) getProperty(BpmnParse.PROPERTYNAME_INITIATOR_VARIABLE_NAME);
if (initiatorVariableName!=null) {
processInstance.setVariable(initiatorVariableName, authenticatedUserId);
}
if (authenticatedUserId != null) {
processInstance.addIdentityLink(authenticatedUserId, null, IdentityLinkType.STARTER);
}

So, if you dont have any authentication you will need another way of setting the current user. Perhaps a header.

Then, you will need to add your own custom Authentication and userdetails service.

Unfortunately, you cant have it both ways.

Greg

‌