How to build Role Based Access to APIs using flowable inbuilt authentication

Flowable Engine
1

Use case : I have different user groups in my system for which i am building a common dashboard for them. All of user have different access and action privileges(ie they will see different limited information based on their level or can perform limited actions on a process). I have to keep a check on API for roles ie only authorized members can hit that api everyone else gets unauthorized error. I am not able to figure out how can i implement that using the inbuilt flowable authentication.

I tried @Preauthorize over my controllers with argument as ā€œhasRole(ā€˜adminā€™)ā€ but even when i am logged in as fozzie, i dont get unauthorized error. Please anyone can guide me how can i do it?

2

In the future we will implemented this by using an api manager: https://wso2.com/api-management/

The api manager runs as a proxy that does authentication and logging.
You can either add the flowable database as a datasource (never tried that) or connect them both to an ldap datasource.

3

Hi,

You would need to change the default Spring security configuration as well to make this work.
How to do that is a question for Spring security not for Flowable.

Best regards,

Tijs

4

Hi tijs,

Yes i understand that its more of a spring question than flowable question. Actually, after going through this :

I tried something like this :

import org.flowable.rest.security.BasicAuthenticationProvider;
import org.springframework.context.annotation.Bean;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@org.springframework.context.annotation.Configuration
@Order(1)
class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override
public void configure(WebSecurity web) throws Exception {
	web.ignoring().antMatchers("/login").antMatchers("/dashboard/login");
}

@Bean
public AuthenticationProvider authenticationProvider() {
	return new BasicAuthenticationProvider();
}

@Override
public void configure(HttpSecurity http) throws Exception {
	http.authenticationProvider(authenticationProvider())
	.csrf().disable()
	.authorizeRequests()
	.antMatchers("/admin/**").hasAuthority("admin")
	.and()
	.httpBasic();	
}
}

but that didnā€™t work for me. Thatā€™s why i asked on flowable, to get help from someone who has done it.

1 Like
5

Where did you add that class? Are you trying to do this in the UI apps or in the REST api?

6

Hi Joram,

No, i added the above code in my own spring-boot app. It worked. The problem was, sometimes grantedAuthorities was coming as ā€œAdminā€ while sometimes it was coming as ā€œadminā€ ie sometimes it was coming group names and sometimes group Ids. I tried printing grantedAuthorities, then only i figured out what the problem was. So for now i have added ā€˜adminā€™ as well as ā€˜Adminā€™ both. I still have to figure out why it was happening.

Thank You,
Arpit Agrawal