Hyland Connect

sonalik · ‎05-11-2017

Hi Team,

I have a query regarding Authorization header set for every Activiti-rest API call.

As per the user guide, this header is mandatory for rest calls or we can pass unameass along with the url.
Is there any way we can skip this and directly make the rest call by hitting the url without Authorization or unameass ?

We have a requirement for same.

Looking forward for your support as always.

Thanks.

gdharley · ‎05-11-2017

You can easily disable the need for authorization by updating the Spring Security configuration.

If you are using Community Edition (e.g. 5.22.0) this is simply a matter of opening the following file:

activiti-webapp-rest2/src/main/java/org/activiti/rest/conf/SecurityConfiguration.java

Now change the following :

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
   .authenticationProvider(authenticationProvider())
   .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
   .csrf().disable()
   .authorizeRequests()
     .anyRequest().authenticated()
     .and()
   .httpBasic();
}

To:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
   .authenticationProvider(authenticationProvider())
   .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
   .csrf().disable()
   .authorizeRequests().anyRequest().permitAll();
}

If you are using Enterprise Edition, you will need to build your own activiti-app war using the embedded-example available in the product download page. Once you have your custom app, you can customize the security configuration the same way as above.

Hope this helps,
Greg

‌

sonalik · ‎05-15-2017

Thanks for the solution. It worked for me. But at the same time i am facing another issue related to "initiator".

I have created a process definition, where for start event i have set initiator. So when the Authorization header was set the initiator was automatically assigned to the user mentioned in header.

For example below is the sample json POST request to start a process:-

Authorization:kermit/kermit
{
"processDefinitionKey":"sample-process",
"businessKey":"sample123"
}

Here the initiator=kermit (automatically set)

But now when the header is not set, i am not able to set the initiator (or not able to start process using user)

{
"processDefinitionKey":"sample-process",
"businessKey":"sample123"
}

I tried setting "initiator" in the 2nd json call but the process started with blank START_USER_ID_ (DB column in act_hi_procinst table)

Can you please help which additional attribute is required in the JSON call in order to set the starter/initiator for a process instance?

Looking forward for your support as always.

Thanks,

Sonali

gdharley · ‎05-15-2017

Ok, so you have run across the downside of not requiring authorization.

The createProcessInstance method (used to start an instance) takes the "initiator" from the Activiti Authentication provider.

String authenticatedUserId = Authentication.getAuthenticatedUserId();
String initiatorVariableName = (String) getProperty(BpmnParse.PROPERTYNAME_INITIATOR_VARIABLE_NAME);
if (initiatorVariableName!=null) {
processInstance.setVariable(initiatorVariableName, authenticatedUserId);
}
if (authenticatedUserId != null) {
processInstance.addIdentityLink(authenticatedUserId, null, IdentityLinkType.STARTER);
}

So, if you dont have any authentication you will need another way of setting the current user. Perhaps a header.

Then, you will need to add your own custom Authentication and userdetails service.

Unfortunately, you cant have it both ways.

Greg

‌

Hyland Connect

Authorization header - Activiti REST