Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Workaround for LDAP?

jcosano
Champ in-the-making
Champ in-the-making

‎12-07-2010 06:18 AM

I wrote some post about It's important integration between Activiti and Ldap…  I know that for now is not in the main list of next features, and in roadmap appears 1 July…
I'm working with activiti and all result are very goods, but my company need choose its bpmn engine now, we have around 5000 users, and for us, integration with LDAP company is mandatory…

- is it possible prioritize this improvement? I read some post in forum asking about this.
- can I implement a workaround for access to my ldap, and wait for an official solution? is enough implement my customLdapIdentitySession ?
Labels:
0 Kudos
16 REPLIES 16

tizo
Champ in-the-making
Champ in-the-making

‎12-30-2010 02:30 PM

Ok, I have an initial implementation that is working for me. Here are the steps:

  • Implement my own IdentitySession: MyIdentitySession implementing IdentitySession and Session.

  • Implement a factory for MyIdentitySession: MyIdentitySessionFactory implementing SessionFactory.

  • When building the engine, do something like:

        ProcessEngineConfiguration processEngineConfiguration =
                ProcessEngineConfiguration.createProcessEngineConfigurationFromResourceDefault();
        List<SessionFactory> customSessionFactories = new ArrayList<SessionFactory>();
        customSessionFactories.add(new MyIdentitySessionFactory());
        ((ProcessEngineConfigurationImpl)processEngineConfiguration).
                setCustomSessionFactories(customSessionFactories);
        ProcessEngine engine = processEngineConfiguration.buildProcessEngine();
And MyIdentitySessionFactory is replacing the default IdentitySessionFactory (DbIdentitySessionFactory) automatically. This is because customSessionFactories are added after the default session factories, and both MyIdentitySessionFactory and DbIdentitySessionFactory returns the same type in getSessionType (IdentitySession.class); this type is used as the key in a map that contains all the sessions factories of the engine.

Now. talking about MyIdentitySession:

  • I am just throwing an UnsupportedOperationException in all the update methods (createNewUser, insertUser, updateUser, deleteUser, createNewGroup, insertGroup, updateGroup, deleteGroup, createMembership and deleteMembership). This is because I do not need to administer users and groups from Activiti. We do that from another system that connects to the LDAP directory.

  • The only method that I am really using now, is findGroupsByUser. This is called when querying for tasks of a candidate user. As we are using Activiti in an EJB context, I can ask the application server for the username, and the groupnames of that user. So, I compare the username that is coming as a parameter to the method, with the username of the logged user. If they match, I create a GroupEntity for each of the groups of the user, and return a list of them. If not, it will connect to LDAP directory to obtain the information, but this is not implemented yet (probably we will need it when we use or develop some kind of administrator system for the workflow).

  • The other methods are all throwing UnsupportedOperationException. As we discover that any of them is needed, we will implement it.
So, we do not need to query the LDAP directory right now. However we will need it in the near future, and we will use jndi to do that, as we have experience with it.

I hope that this could help other users.

Happy new year.
0 Kudos

jbarrez
Star Contributor
Star Contributor

‎01-03-2011 07:01 AM

That surely is helpful! Thanks for sharing it!
0 Kudos

p4w3l
Champ in-the-making
Champ in-the-making

‎03-08-2011 12:28 PM

I have tuned shiva0 solution already: LDAP IdentitySessionImpl in the previous incarnation here: http://community.jboss.org/thread/119175 and tested it with Lotus Domino and Active Directory. I am ready to adopt it again to Activiti if somebody show me how to plugin it into activiti.cfg.xml. I appraciate tizo's programatic solution as workarround but I thing it will not work with unit testing where process engine is created automaticly behind the scene. With mentioned code for IdentitySession we are not far from accepted solution. I have seen Tom Baeyens "think" how he expect it to be plugged in here: http://forums.activiti.org/en/viewtopic.php?f=4&t=427&start=0&hilit=ldap like that: <session class="the.SessionClass" factory="the.FactoryClass" />
Please help me! The body can be done quick. Only I don't know Activiti sufficient to plugin it properly!  :geek:
0 Kudos

frederikherema1
Star Contributor
Star Contributor

‎03-09-2011 04:46 AM

We have an example of this in our codebase (the XML you are referring to was just an idea on how this could be done):

/activiti-engine/src/test/java/org/activiti/standalone/cfg/identity/CustomIdenstitySessionTest.java
/activiti-engine/src/test/resources/org/activiti/standalone/cfg/identity/customIdentitySession-activiti.cfg.xml

Basically, the XML you need is the folowing (property on your process-engine configuration, full xml in customIdentitySession-activiti.cfg.xml):

   <!– provide a custom IdentitySessionFactory that returns a custom IdentitySession –>
    <property name="customSessionFactories">
        <list>
            <bean class="org.activiti.standalone.cfg.identity.CustomIdentitySessionFactory" />
        </list>
    </property>
0 Kudos

p4w3l
Champ in-the-making
Champ in-the-making

‎03-09-2011 01:56 PM

Thank you Frederik. I am almost done and wanna start testing but got confused:

1. After installing my brand new LdapIdentitySession ( called by LdapIdentitySessionFactory called by activiti.cfg.xml with new property you showed me ) I cannot login to any web application ( like explorer or probe ). I have below ERROR. Could you give me a hint how to debug Spring which I don't know? There is no my LdapIdentitySession in trace  :
INFO: Server startup in 16312 ms
19:39:10,630  ERROR [extensions.webscripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: 02090000 Username and password does not match.
org.springframework.extensions.webscripts.WebScriptException: 02090000 Username and password does not match.
at org.activiti.rest.api.identity.LoginPost.executeWebScript(LoginPost.java:75)
at org.activiti.rest.util.ActivitiWebScript.executeImpl(ActivitiWebScript.java:68)
at org.springframework.extensions.webscripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:64)
at org.springframework.extensions.webscripts.PresentationContainer.executeScript(PresentationContainer.java:69)
at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:333)
at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:189)
at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:118)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:636)
2011-03-09 19:39:10 org.springframework.extensions.webscripts.connector.AuthenticatingConnector handshake
SEVERE: An exception occurred while attempting authentication handshake for endpoint: http://localhost:8080/activiti-rest/service
org.springframework.extensions.surf.exception.AuthenticationException: 02090000 Username and password does not match.
at org.activiti.surf.ActivitiRESTAuthenticator.authenticate(ActivitiRESTAuthenticator.java:97)
at org.springframework.extensions.webscripts.connector.AuthenticatingConnector.handshake(AuthenticatingConnector.java:403)
at org.activiti.surf.ActivitiUserFactory.authenticate(ActivitiUserFactory.java:141)
at org.springframework.extensions.surf.mvc.LoginController.handleRequestInternal(LoginController.java:67)
at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:771)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:563)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:195)
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:159)
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141)
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:636)
2. Another confusion is with IdentityService. I try to call from within PluggableActivitiTestCase examples from User Manual like:
identityService.findUser(userId)
identityService.findGroup(groupId)
but they cannot compile!
I checked with Javadoc and found that IdentityService has only some createX, deleteX, newX and saveX. There is no findX methods. Where they are? How IdentitySession and IdentityService are related?
0 Kudos

frederikherema1
Star Contributor
Star Contributor

‎03-14-2011 03:34 AM

Hi,

1) When authenticating using REST, org.activiti.surf.ActivitiRESTAuthenticator.authenticate is used. This class plugs into the spring-surf autentication framework and will use the engine's identityService. The reason you don't see you service in the stacktrace is because the RestAutenticator throws the exception, not the service itself Smiley Wink

2) Those methods are have been removed. You should uses the UserQuery and GroupQuery to find users and groups. Where exactly did you find this in the userguide?
0 Kudos

p4w3l
Champ in-the-making
Champ in-the-making

‎03-15-2011 06:02 AM

1. Thank you for the hint.

2. You can still find API examples in "Chapter 14. REST API" like that: ProcessEngines.getProcessEngine(configuredProcessEngineName).getIdentityService().findUser(userId)

I will open new thread with LdapIdentitySession because it's getting compelx and I will need more help Smiley Happy
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC