cancel
Showing results for 
Search instead for 
Did you mean: 

After disabling Activiti REST basic authentication

aditya09
Champ in-the-making
Champ in-the-making
My Spring Security Configuration looks like this:

@Configuration
protected static class AuthConfig extends WebSecurityConfigurerAdapter {
    @Value('${authn.authnUrl}')
    private String authnUrl;

    @Value('${authn.clientId}')
    private String clientId;

    @Value('${authn.privateKeyPath}')
    private String privateKeyPath;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(new PreAuthAuthenticationProvider());
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()
                .anyRequest()
                .authenticated()
                .and()
                .addFilterBefore(authnFilter(), SecurityContextPersistenceFilter.class)
                .addFilterAfter(preAuthFilter(), LogoutFilter.class)
                .exceptionHandling()
                .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint('/login'));

    }

    private Filter preAuthFilter() throws Exception {
        PreAuthProcessingFilter filter = new PreAuthProcessingFilter();
        filter.setAuthenticationManager(authenticationManager());

        return filter;
    }

    private Filter authnFilter() {
        return new AuthnFilterBuilder()
                .setAuthnUrl(authnUrl)
                .setClientId(clientId)
                .setPrivateKeyPath(privateKeyPath)
                .enableSystemAuth()
                .enableUIAuth()
                .build();
    }
}

where authN is a internal tool used to authenticate users.
Now my question is how will activiti-engine know which user initiated a request if I remove basic authentication completely.
3 REPLIES 3

jbarrez
Star Contributor
Star Contributor
Activiti doesn't actually do anything with the security configuration. The only thing that happens is that the IdentityService.setAuthenticatedUserId is set, generally in a filter of some sort. That user id is then used to populate for example the history information.

aditya09
Champ in-the-making
Champ in-the-making
thank you for your reply Smiley Very Happy
was stuck on this for days.

pteki
Champ in-the-making
Champ in-the-making
Is there anyway, I can support multiple authentication processes? For exanple, check the SiteMinder token, if not check the JWT, if not Basic Auth? we have multiple instances and each legacy has its own auth methods. Can we do this?