Required privileges

Hi
I am testing out a custom idm for my springboot project (using Alfresco as an idm source).
I’m wondering what kind of privilege a user needs to be able to make queries for process definitions and task list over REST api?
I have added a user mapping for the access-rest-api privilege but I still get 401 (I even tried access-admin).
I located the config that boots the REST admin user and used that as the inspiration to bootstrap the mappings after the spring context loads but alas to no avail.
Would really appreciate any pointers that can help me solve this.

Hey,

How are you providing the custom IDM to the Flowable engines? This SecurityConfiguration is the places where the access-rest-api is configured.

How does your security configuration look like?

Cheers,
Filip

I literally used the LDAP module for inspiration and essentially using an auto configuration class to inject my identityService. Something like so:

@Configuration
@ConditionalOnIdmEngine
@ConditionalOnProperty(prefix = "flowable.idm.alfresco", name = "enabled", havingValue = "true", matchIfMissing = false)
@AutoConfigureOrder(Ordered.LOWEST_PRECEDENCE)
@AutoConfigureAfter({
        AppEngineAutoConfiguration.class,
        ProcessEngineAutoConfiguration.class,
})
@AutoConfigureBefore({
        IdmEngineAutoConfiguration.class,
        AppEngineServicesAutoConfiguration.class,
        ProcessEngineServicesAutoConfiguration.class
})
public class FlowableConfiguration extends IdmEngineAutoConfiguration {
...
@Bean
    public EngineConfigurationConfigurer<SpringIdmEngineConfiguration> alfrescoIdmEngineConfigurer(AlfrescoConnectionUtil connectionUtil) {
        return idmEngineConfiguration -> idmEngineConfiguration
                .setIdmIdentityService(new AlfrescoIdentityServiceImpl(connectionUtil));
    }
}

I didn’t see a security configuration for the LDAP module so I didn’t create one.
I also noticed that only 2 privileges are being created when my process engine boots up,
namely the access-rest-api and the access-admin.

And is there a mapping created between the admin user and the privileges? Are you created some user during the boot of the application?

Btw you should not extend from a Spring Boot Auto Configuration. You can create your own and that one would be properly picked up.

Yes. I have created groups in my alfresco repo that match, in name, the flowable default privileges such that on boot, my identity service creates the privilege mapping (though the admin user and mapping are always created by the time my bootstrap code runs).
When I inspect the database I see that my users are present and the mapping privileges are also present.

Then everything should work properly. If you are creating your own Spring Boot project and you don’t have a security configuration defined then perhaps the problems is that the default from Spring Boot is picked up. You would need to define your own with your own logic for it to work properly.

So I should create my own security config to match the one you suggested earlier?
Will give that a go. Thanks for the pointer.

Yes you should create your own that would match your needs

I tried all sorts of configuration for the SecurityConfig and currently have the following Auto config deployed

.... Some code to initialise privileges defined as alfresco groups which actually work and create the privileges.
@Profile("production")
@Configuration
@ConditionalOnIdmEngine
@ConditionalOnProperty(prefix = "flowable.idm.alfresco", name = "enabled", havingValue = "true", matchIfMissing = false)
@AutoConfigureAfter({AlfrescoConnectionUtil.class, AlfrescoIdentityServiceImpl.class})
@Order(710)
@EnableWebSecurity
public class ProdAppWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        UtilMethods.logInfoMsg(logger,"Initialising production web security config.........");

//        http.csrf().disable()
//            .requestMatchers()
//            .antMatchers("/process-api/**").and()
//            .authorizeRequests()
//            .antMatchers("/runtime/**").hasAuthority(SecurityConstants.PRIVILEGE_ACCESS_REST_API)
//            .antMatchers("/repository/process-definitions/**").hasAuthority(SecurityConstants.PRIVILEGE_ACCESS_REST_API)
//            .and()
//            .httpBasic();

        http.csrf().disable()
            .authorizeRequests()
            .anyRequest()
            .hasAuthority(SecurityConstants.PRIVILEGE_ACCESS_REST_API).and().httpBasic();
    }
}

but I am still getting the same 401 results.
I should add that I took my inspiration from the flowable-spring-boot-sample-ldap example.
I should also mention that, a symptom of implementing the security configuration is that the admin account is now locked out of making the same request(s), whereas before it wasn’t.

Hello DarkStar1,
Have you finally succeeded in developing your Alfresco idm?

Jc

Not yet.
I’m returning to it tomorrow to try and resolve this issue with the privileges.
Once it’s then battle tested, I’ll mirror the code onto Github (or the OOTB repo).
So perhaps next week sometime.

Hello,
I can help, test…

Don’t hesitate, I’m willing to help, I have the same concerns. I’m using LDAP connector for the moment but it’s a little limited iwthout subgroups support. If implemented in Alfresco, it can be done easily.

Thanks,

JC

Currently testing. Will get back to you as soon as I’ve verified it is working.

Cool. I’m eager to test it :slight_smile:

JC

Hi Daskstar1,
Need some help to test?

JC

Yes. I sent you a pm with a link.