Embedded camunda-engine Authorization


#1

Hello.

I have Java Application with embedded Camunda Engine, to implmenet custom api, deployed on Wildfly.

I have enabled Basic Auth in web.xml, integrate wildfly with ldap.
Everything is good, auth works perfect, but I want to use camunda's authorization manager, to authorize requests.

Problem is that Context.getCommandContext() returns null.

Below is my configuration:

public class AlcyoneApplication extends Application {

    @Override
    public Set<Class<?>> getClasses() {
        Set<Class<?>> classes = new HashSet<Class<?>>();

        classes.addAll(CamundaRestResources.getResourceClasses());
        classes.addAll(CamundaRestResources.getConfigurationClasses());


//        add every custom rest-endpoints here
        classes.add(CustomTaskDefinitionController.class);
        classes.add(CustomTaskController.class);

        return classes;
    }
}


public class AlcyoneProcessEngineProvider implements ProcessEngineProvider {

    public ProcessEngine getDefaultProcessEngine() {
        return ProcessEngines.getDefaultProcessEngine();
    }

    public ProcessEngine getProcessEngine(String name) {
        return ProcessEngines.getProcessEngine(name);
    }

    public Set<String> getProcessEngineNames() {
        return ProcessEngines.getProcessEngines().keySet();
    }

}

I use this code to authorize request in jaxrs endpoint:

@Path("/task-custom")
@Produces({MediaType.APPLICATION_JSON})
@Consumes({MediaType.APPLICATION_JSON})
public class CustomTaskController {

    @POST
    @Path("")
    public Response getTasksCustom(@QueryParam("firstResult") Integer firstResult,
                                   @QueryParam("maxResults") Integer maxResults,
                                   TaskQueryCustomDto queryDto) {

        Context.getCommandContext().getSession(AuthorizationManager.class)
                                             .checkAuthorization(Permissions.READ, Resources.TASK, Authorization.ANY);

        ....

        return Response.status(HttpStatus.SC_OK).entity(null).build();
    }

And here is problem: Context.getCommandContext() == null


#2

Hi @Lasha_Gureshidze,

Context#getCommandContext and all the rest is internal API, and in particular is not supposed to work in the way you use it. I recommend to use AuthorizationService#isUserAuthorized instead to check if a user is allowed to perform a certain action.

Cheers,
Thorben