cancel
Showing results for 
Search instead for 
Did you mean: 

Group membership usin SSO in version5.16.3

faraon79
Champ in-the-making
Champ in-the-making
Hi,

This is my second question in the context of SSO. I need to resolve group membership basis on SSO (activiti-rest).

I have successfuly switch off basic authentication but the problem is with getting tasks for a user where a group (a user is member of) is defined as a potential owner. I have debugged code many times and don't see where is taking place checking if the user is member of a group in original code base. GroupEntityManager methods arn't call any times when deploy definition, start instance or query for the task.

Sorry for my ignorance but could you give me some tips how to resolve this or where is the point where Activiti checking if the user from task query is member of a group if "group" task is defined.

Many thanks,
Tomasz
5 REPLIES 5

jbarrez
Star Contributor
Star Contributor
Check GroupEntityManager:

<code>
public List<Group> findGroupsByUser(String userId) {
    return getDbSqlSession().selectList("selectGroupsByUserId", userId);
  }
</code>

You will need to plug your own version of GroupIdentityManager in to make this work.


faraon79
Champ in-the-making
Champ in-the-making
Thank you for the response. Actually I'm wondering if it is expected that runtime/tasks resource with query "candidateUser" and "candidateOrAssigned" are executed in different way, I mean when use "candidateUser" the 'findGroupsByUser' method is always called and  when use "candidateOrAssigned" query the method is never called. This is the reason why when debuging code I never get to the "findGroupsByUser" method. I just used incorrect query. Does the query "candidateOrAssigned" shoudn't return tasks for the user who exists in definition only as a group member as well? Different results are a bit confusing.

Thanks

jbarrez
Star Contributor
Star Contributor
It depends if you are using Explorer or not. In Explorer, those queries are important, cause they will populate the task lists.
However, without Explorer, you can do as you please, and just use the candidateGroup queries to get tasks for certain groups.

Im assuming you are using explorer? Where exactly do you see the use of these queries?

faraon79
Champ in-the-making
Champ in-the-making
I'm using activiti-rest only. In my use case I'm going to populate user task list with resource "GET runtime/tasks". If I could use "candidateOrAssigned" query parameter I would get all the tasks for the user at one shoot. Alternatively I could try to join both queries: "candidateUser" and "assignee" but I'm not sure if the response is the result of use "or" or "and" operator for query parameters. We'll see.

Thanks

faraon79
Champ in-the-making
Champ in-the-making
In details (activiti-rest):

Process definition contains two parallel tasks:
task1 with single user "user1" as potential owner
task2 with group as potential owner(user1 is member of)

After start process instance and claim task1 results of request "GET runtime/tasks" are:
1. using "candidateUser=user1" query: one task - as expected
2. using "assignee=user1" query: one task - as expected
3. using "candidateUser=user1&assignee=user1" query: empty list - seems that "and" operator is used
4. using "candidateOrAssigned=user1" query: one task (where user1 is assignee) - expected two tasks.

Regarding point 4 from list above, does group membership for that query is resolved in different method ("findGroupsByUser" isn't called) or two shoots are required to get two lists of tasks (one for assigned and one for candidate) and merge them outside Activiti. I'd like to avoid two shoots and e.g. be able to paging results on Activiti site.

Thanks,
Tomasz