Enable/disable Java serializable objects to be passed as variables in the REST API.
rest.variables.allow.serializable=true
Enable/disable whether the docs are available on /docs
rest.docs.swagger.enabled=true
The user I need to use to query the rest interface is kermit.
When i query all users “flowable-rest/service/identity/users” only the demo users are returned. (kermit, fozzie, gonzo.)
Hi, I saw this old post, but no one answered this post. I am interested in knowing the answer to the same question. I’ve followed other posts to enable LDAP in my flowable-default.properties file under flowable-rest\WEB-INF\classes:
flowable.idm.ldap.enabled=true
…
But the authentication still goes against dbo.ACT_ID_USER table of the configured database, not to LDAP.
Reading through the document, to enable LDAP integration, one needs to include dependency in pom.xml:
I looked at pom.xml in the flowable-rest package, I do not see this dependency. So I am afraid that I cannot use LDAP authentication for flowable-rest.war, is that true?
If that is true, what are my options if I want to integrate flowable-rest.war with LDAP as user store?
I cannot use the database configured for flowable engine because it looks like the user passwords in the dbo.ACT_ID_USERS are in clear text.
Hi Joey
I actually never got it working.
I ended putting an API-Manager in front of it.
The one I used was wso2 (https://wso2.com/api-management/)
This had the advantage that it is a generic solution that also supports other applications and adds features like keys.
The disadvantage is that since wso2 uses a “configured” user to connect to Flowable, all actions, no matter who did it are done by that configured user.
Thanks, Sebastiaan. I followed your link, unfortunately, I am not able to make much progress yet. I even tried to configure flowable-idm to work with Active directory following the link Integration with Microsoft Active Directory. It appears I was directed to AD for authentication, but I could not get it working. At least, I know the LDAP configuration does make some difference to flowable-idm app, but it does nothing to flowable-rest. b
Thank you Filiphr for your reply. I do not have issue with the basic authentication to flowable-rest APIs. I was hoping I can use flowable-rest.war as it is with just additional configuration to support AD users and groups. The goals are
Use a valid AD user with required privileges to authenticate into flowable-rest application.
Use AD users and groups as the CandidateUsers and CandidateGroups in the user task definition in the BPMN process definition.
The second goal is more important to me than the first one. If the above goal cannot be accomplished by configuration only, then it seems that I will have to build my own REST application by using flowable-spring-boot-starter-rest dependency. It looks like I can use LDAP configurator (https://flowable.com/open-source/docs/bpmn/ch17-Ldap/) to accomplish the above goal, is that correct?
The first goal can be accomplished with an API manager.
The 2nd goal can be accomplished by doing an LFAP call in a service class, or a rest call to something like keycloak.
Thanks Sebastiaan for your pointer. I did think of the approach of doing the LDAP lookup in my own code. Maybe there is a better way, but the simplest way is to get all the tasks from flowable-rest API without any filter. Then get all the AD groups this user belongs to. Then loop through all the tasks to see if any of them is assigned to a group matching this user’s AD groups. This approach would work, although it will add a lot more network traffic between flowable-rest service and my client app if there are a lot of tasks for a lot of people. So I hope I can find a better solution.
Your approach is also interesting. Keep in mind that you can also pass the groups and user id to flowable-rest. This way the filtering is done in the DB and you’ll have proper paging and less network traffic
Many thanks for your reply. I have a followup question regarding this group filter in Flowable-rest API. Say there is a task with candidategroup = “sales”. Say John is a member of the “sales” group. I read from other threads in the forum, you’ve said that one cannot query the task by user John. That is, one cannot call
query/tasks?CandidateUser=john
Instead, one has to call
query/tasks?CandidateGroup=sales
So if john belongs to 10 groups, does the client have to first find out all 10 groups john belongs to and call query/tasks 10 times to see all of John’s tasks? Or is there a single API call to send all 10 groups with OR logic, something like this:
Hi, Filip, upon further reading of the document, it appears one can use candidategroups=sales,marketing,… That may work, of course it would be much better if candidateuser=john would work as well.
Yes you are right OR is currently not supported as a query option. So you would either search for groups or for the user (I know it is not ideal).
So using candidateGroups=sales,marketing,...&candidateUser=john will not work.
Additionally there is also involvedUser (over REST) and also involvedGroups (over Java, not exposed over REST).
If you can create your own Flowable REST App you can in theory add your own endpoint that would be able to use the Java API and use OR (you can do that with Java).