cancel
Showing results for 
Search instead for 
Did you mean: 

Activiti REST Webapp LDAP and Role Authorization

gregdavisfromnj
Champ on-the-rise
Champ on-the-rise
The User Guide shows how to set up LDAP integration for both the Explorer and REST web apps in Chapter 17.  I've succeeded in configuring LDAP authentication for the REST web app against my local ActiveDirectory.  Great.  The User Guide shows how to map Explorer groups/roles to LDAP groups, to provide a multi-level authorization once authenticated.

But, I don't see how to do the same for the REST web app.

That is, once a user's Basic Auth credentials are authenticated via LDAP, any user in the LDAP directory can execute a REST request.  Ideally, I'd like to specify an LDAP group which has privilege to the REST web app.  It seems like that would be analogous to the Explorer "admin group".  Any LDAP user which is not in that LDAP group would get some kind of "forbidden" or 401 error.

Is this possible?  It sounds pretty basic, and not too fancy.

Creating an OU in the LDAP hierarchy specific to ActivitiAdmins and tweaking the baseDn in the Spring configs for the REST web app appropriately might work, but seems like a pretty heavy handed manipulation on the LDAP directory.  That would be a step towards having a separate username/password for each application a person wanted to use, rather than a common username/password to identify the same client thing (a person or another application).

Thanks
1 REPLY 1

jbarrez
Star Contributor
Star Contributor
You would need a combination of the LDAP + a custom RestAuthenticator (see http://activiti.org/userguide/index.html#N13024)
Getting started

Tags


Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.