Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CAS SSO with Activiti REST API

einarwh
Champ in-the-making
Champ in-the-making

‎10-08-2013 08:50 AM

Hi,

We're building a multi-component web application that communicates with Activiti using the REST API. We'd like to do two things:

1. Replace the default basic HTTP authentication, and rely on Tomcat to handle authentication using CAS SSO. We obviously still need a notion of identity for the user - should we use a suitable IdentityService for this?

2. Implement our own authorization scheme based on LDAP integration.

My understanding is that it is not sufficient to implement our own RestAuthenticator, since this will still employ the default authentication scheme.

Any pointers on how to best proceed would be greatly appreciated.

My apologies if my questions are naive or misguided, I am an Activiti beginner.

Kind regards,
Einar
Labels:
0 Kudos
4 REPLIES 4

trademak
Star Contributor
Star Contributor

‎10-09-2013 05:01 AM

Hi,

My first thought is that it should be just fine if you implement your own RestAuthenticator.
You should implement the requestRequiresAuthentication method and always return false.
That prevents the REST layer from calling the Activiti identity management.
In the requestRequiresAuthentication method you could check the SSO token and throw an exception if it's invalid.
Also make sure to set the user on the request, because some REST services need that user object.

Best regards,
0 Kudos

einarwh
Champ in-the-making
Champ in-the-making

‎10-09-2013 06:56 AM

Hi,

Thanks a lot for your quick answer! Apologies if my follow-up questions are stupid or misguided (Activiti is a very new friend of mine). What are the semantics of throwing an exception in requestRequiresAuthentication? In other words, what would the observed effect be? Also, how would we proceed to implement our custom authorization (using LDAP group membership) if requestRequiresAuthentication always returns false - my understanding is that isRequestAuthorized will never be called in that scenario? Once again, I am sorry that I'm asking from a perspective of ignorance here.

Thanks a lot,
Einar
0 Kudos

frederikherema1
Star Contributor
Star Contributor

‎10-09-2013 09:02 AM

yes, as the javadoc says, if the "requestRequiresAuthentication" returns false, the request is considered to be free of any further DEFAULT authentication (including calls to isRequestAuthorized).

Since the calls are done from restlet, you can throw a ResourceException(…) with a status-code and a description. The rest-error handling that is in place will render a nice response-JSON with the message in it (see ActivitiStatusService) and the HTTP-response code will be the one you provide in the ResourceException. In your case, that will be a UNAUTHORIZED or REQUIRES_AUTHENTICATION, depending on what your SSO logic found out about the request…
0 Kudos

einarwh
Champ in-the-making
Champ in-the-making
In response to frederikherema1

‎10-09-2013 09:25 AM

Thanks a lot, I really appreciate the kind assistance and helpful advice. I think it's very neat that I can use HTTP response codes in that manner. Just to make sure: I'll just ignore the isRequestAuthorized call as such, and implement whatever custom authorization I need to do in the requestRequiresAuthentication call itself. Have I understood correctly?

Thanks again,
Einar
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC