Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP with 5.19 REST - Code changes

ncoonghe
Champ in-the-making
Champ in-the-making

‎03-22-2016 02:53 PM

Hi

In Activiti 5.19, in order to use LDAP with the REST module instead of  the Activiti Identity related user/group/membership tables.

Will it work by including the Activiti-ldap related jar file and also by Change the ProcessEngineConfigurationImpl.java code by commenting the below lines

addSessionFactory(new UserEntityManagerFactory());
addSessionFactory(new GroupEntityManagerFactory());
addSessionFactory(new MembershipEntityManagerFactory());


And adding the below lines instead

addSessionFactory(new LDAPUserManagerFactory(…));
addSessionFactory(new  LDAPGroupManagerFactory(…));
addSessionFactory(new  LDAPMembershipManagerFactory(…));

Regards
Nirmal
Labels:
0 Kudos
5 REPLIES 5

hari
Star Contributor
Star Contributor

‎03-23-2016 03:04 AM

Hi Nirmal,

As per your statement, I understood that you are using Activiti via REST. Now when you use it via REST, you need not integrate Activiti with LDAP but you need to integrate your application with LDAP.
Also you need not change any code in Activiti source files.
0 Kudos

ncoonghe
Champ in-the-making
Champ in-the-making

‎03-23-2016 12:56 PM

Thanks Hari,

So you mean to say when certain API calls are made the engine does not look up the user/group identity link data and make sure that the entries are available before performing what the API has to do. Like Assigning a Task, delegating a task, assigning to a group, etc. In fact it checks the user/password as part of REST using the user table.

I definitely think it cannot be isolated. It has to be integrated with the engine..

0 Kudos

hari
Star Contributor
Star Contributor

‎03-24-2016 01:31 AM

It would not check if the user/group exists in the table when you assign a task or perform any other action to a user/group. When you integrate your application with LDAP, its becomes your application's responsibility to verify these things.

We have done it in the same way. I pull the information of the list of users and list of groups from the LDAP and display it to the user when he tries to assign a task. In this way we ensured that no other user/group gets into the db.
0 Kudos

ncoonghe
Champ in-the-making
Champ in-the-making

‎03-24-2016 12:40 PM

But The REST webapp out of box does require the basic authentication to work. Meaning, without it the Rest Client does not allow me to execute any of the REST API's and the REST app checks against the user table to check the user and password. This means I would have to change Activiti REST code to not make the password check in the User table ?

Also can you confirm that none of the API calls ever validate against the User/Group table based on the context

Also I think some of the API's like claim, etc does check the Identity objects before the task is claimed, etc

Regards
Nirmal
0 Kudos

jbarrez
Star Contributor
Star Contributor

‎03-25-2016 11:15 AM

no, Activiti does not check identities. It simply sets strings.
Swapping out the auth to ldap, you'd need to change the SecurityConfiguration in the Activiti rest app.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC