Custom Authentication Method... REST OK! MODELER NOK!

Flowable Engine
1

Hi!

I need to implement a custom authentication method working with another database…

After a hard battle I finally made this on REST in flowable-custom-context.xml:

<?xml version="1.0" encoding="UTF-8"?> 

<bean id="dataSource" class="org.springframework.jdbc.datasource.SimpleDriverDataSource">
	<property name="driverClass" value="com.mysql.jdbc.Driver" />
	<property name="url" value="jdbc:mysql://127.0.0.1:3306/flowable?useSSL=false&amp;useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true" />
	<property name="username" value="root" />
	<property name="password" value="" />
</bean>

<bean id="dataSourceExternalAuth" class="org.springframework.jdbc.datasource.SimpleDriverDataSource">
	<property name="driverClass" value="com.mysql.jdbc.Driver" />
	<property name="url" value="jdbc:mysql://127.0.0.1:3306/external_auth?useSSL=false&amp;useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true" />
	<property name="username" value="root" />
	<property name="password" value="" />
</bean>

<bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
	<property name="dataSource" ref="dataSource" />
</bean>

<bean id="dmnEngineConfigurator" class="org.flowable.dmn.spring.configurator.SpringDmnEngineConfigurator" />
<bean id="formEngineConfigurator" class="org.flowable.form.spring.configurator.SpringFormEngineConfigurator" />
<bean id="contentEngineConfigurator" class="org.flowable.content.spring.configurator.SpringContentEngineConfigurator" />

<bean id="processEngineConfiguration" class="org.flowable.spring.SpringProcessEngineConfiguration">
	<property name="dataSource" ref="dataSource" />
	<property name="transactionManager" ref="transactionManager" />
	<property name="databaseSchemaUpdate" value="true" />
	<property name="mailServerHost" value="localhost" />
	<property name="mailServerPort" value="5025" />
	<property name="configurators">
		<list>
			<ref bean="dmnEngineConfigurator" />
			<ref bean="formEngineConfigurator" />
			<ref bean="contentEngineConfigurator" />
		</list>
	</property>

	<property name="idmEngineConfigurator">
		<bean class="my.flowable.auth.MyCustomAuthConfigurator">
			<property name=“myCustomAuthConfiguration">
				<bean class=“my.flowable.auth.MyCustomAuthConfiguration">
					<property name="dataSource" ref="dataSourceExternalAuth" />
				</bean>
			</property>
		</bean>
	</property>
</bean>

<bean id="processEngineFactoryBean" class="org.flowable.spring.ProcessEngineFactoryBean">
	<property name="processEngineConfiguration" ref="processEngineConfiguration" />
</bean>

<bean id="repositoryService" factory-bean="processEngine" factory-method="getRepositoryService" />
<bean id="runtimeService" factory-bean="processEngine" factory-method="getRuntimeService" />
<bean id="taskService" factory-bean="processEngine" factory-method="getTaskService" />
<bean id="formService" factory-bean="processEngine" factory-method="getFormService" />
<bean id="historyService" factory-bean="processEngine" factory-method="getHistoryService" />
<bean id="managementService" factory-bean="processEngine" factory-method="getManagementService" />
<bean id="identityService" factory-bean="processEngine" factory-method="getIdentityService" />

Here is my custom auth implementation based on LDAP module:

	<property name="idmEngineConfigurator">
		<bean class="my.flowable.auth.MyCustomAuthConfigurator">
			<property name="liferayAuthConfiguration">
				<bean class=“my.flowable.auth.MyCustomAuthConfiguration">
					<property name="dataSource" ref="dataSourceExternalAuth" />
				</bean>
			</property>
		</bean>
	</property>

Works very well but I wondering if this is the better approach!?

And now… how I can configure the flowable-modeler to use my custom authentication method?

I very appreciate any enlightenment… thank you!

2

The UI apps use another interface called RemoteIdmService in the flowable-ui-common package. So the standard implementation will do REST calls to the idm UI app.

There are two scenarios:

  1. If you want to merely get users and groups from an external IDM, but still use the flowable IDM app for login. Then you can replace the RemoteIdmService implementation with your own. You’d need a way to let spring know which one to use as this is done in Java config and so not so easy to swap out another class as xml conf. I am using @Profile to achieve this currently to minimize changes to flowable code base.

  2. If you want to replace the IDM app entirely, as in use your IDM for logging in to the modeler app, then there is more involved and it is not very pluggable. You have to replace the SecurityConfiguration in flowable-ui-modeler with your own. This also involves either returning a Principal of type FlowableAppUser from your spring security auth service or editing SecurityUtils to convert your Principal object into FlowableAppUser. I assued @Profile again to make it somewhat pluggable for myself.

And there are posts on the topic, but there was no substitute for diving deeply into the code:
https://forum.flowable.org/search?q=RemoteIdmService

I have an open question on whether the @Profile approach could perhaps be incorporated:

3

@ruzkant many thanks!

Your tips will help me. :wink:

1 Like