How to build Role Based Access to APIs using flowable inbuilt authentication

Use case : I have different user groups in my system for which i am building a common dashboard for them. All of user have different access and action privileges(ie they will see different limited information based on their level or can perform limited actions on a process). I have to keep a check on API for roles ie only authorized members can hit that api everyone else gets unauthorized error. I am not able to figure out how can i implement that using the inbuilt flowable authentication.

I tried @Preauthorize over my controllers with argument as “hasRole(‘admin’)” but even when i am logged in as fozzie, i dont get unauthorized error. Please anyone can guide me how can i do it?

In the future we will implemented this by using an api manager: https://wso2.com/api-management/

The api manager runs as a proxy that does authentication and logging.
You can either add the flowable database as a datasource (never tried that) or connect them both to an ldap datasource.

Hi,

You would need to change the default Spring security configuration as well to make this work.
How to do that is a question for Spring security not for Flowable.

Best regards,

Tijs

Hi tijs,

Yes i understand that its more of a spring question than flowable question. Actually, after going through this :

I tried something like this :

import org.flowable.rest.security.BasicAuthenticationProvider;
import org.springframework.context.annotation.Bean;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@org.springframework.context.annotation.Configuration
@Order(1)
class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override
public void configure(WebSecurity web) throws Exception {
	web.ignoring().antMatchers("/login").antMatchers("/dashboard/login");
}

@Bean
public AuthenticationProvider authenticationProvider() {
	return new BasicAuthenticationProvider();
}

@Override
public void configure(HttpSecurity http) throws Exception {
	http.authenticationProvider(authenticationProvider())
	.csrf().disable()
	.authorizeRequests()
	.antMatchers("/admin/**").hasAuthority("admin")
	.and()
	.httpBasic();	
}
}

but that didn’t work for me. That’s why i asked on flowable, to get help from someone who has done it.

1 Like

Where did you add that class? Are you trying to do this in the UI apps or in the REST api?

Hi Joram,

No, i added the above code in my own spring-boot app. It worked. The problem was, sometimes grantedAuthorities was coming as “Admin” while sometimes it was coming as “admin” ie sometimes it was coming group names and sometimes group Ids. I tried printing grantedAuthorities, then only i figured out what the problem was. So for now i have added ‘admin’ as well as ‘Admin’ both. I still have to figure out why it was happening.

Thank You,
Arpit Agrawal