Using the REST-API, the user has to login to do any action on the engine. As I have seen, no authentication/authorisation at all is needed when using the Java-API directly. I'd like to achieve the following goals:
Only existing users can start process instances an the userId is stored in START_USER_ID_ of act_hi_procinst (value is null, if I start an instance through the API).
Only the user assigned to a task can complete a task (and some admin users with special permissions)
Any suggestions on how to do this best would be appreciated.
In Javadoc I read about the methods checkPassword(userId,pwd), that I could use, to check, if a user exists (to authenticate it). Then I could use setAuthenticatedUser(userId), which would cause that START_USER_ID_ would be set, if I understand this correctly. But how to prevent not authorized users from starting instances and how to prevent completeing of tasks by 'guerilla-users'?
But how to prevent not authorized users from starting instances and how to prevent completeing of tasks by 'guerilla-users'?
Might not what you want to hear, but the basic answer is: by implementing this. Just build a ui where they only get to see tasks that belong to them, cannot change id's to get to other tasks etc… Basically like you would secure any other webapp with shared data.
