Spring security context for the job executor


#1

Hi,

We are using the process engine embedded in a spring boot application, and are starting to add method-level authorization annotations (e.g., @PreAuthorize) to our service layers.

My questions:

  • If an end user submits a task, and there is no “async after” configured in the process definition, will spring’s security context be propagated to any service task/listener/… that occurs after the user task (until another wait state is encountered, of course)?
  • For a user task with an “async after”, are output parameters and end listeners part of the task submit? Will they be executed within the security context of the original user?
  • If there is an “async after”, and the job executor kicks in, is it possible to inject a security context, such that service tasks/listeners can invoke secured methods?
  • Is there any documentation, examples, best practices, etc. on combining the Camunda process engine with Spring security?

Note that I am not asking about integrating the webapps (cockpit, tasklist) with spring security or implementing a custom IdentityProvider.

Thanks


#2

Hi @stijn.timbermont,

In Camunda you have to call identityService.setAuthenticatedUserId() to set the userId for the executed command. Then the user task will be saved with the userid in the history. I havn’t used spring security with the annotation, my experience come from this example: https://github.com/camunda-consulting/code/tree/master/snippets/springboot-rest-api-basic-auth.

The userid is stored in a threadLocal variable which is removed with the commit in the database. If there is an async after, a different thread without user authenication will pick up and execute the work for the following tasks. You can find the borders of the async after (and before) here: https://docs.camunda.org/manual/7.9/user-guide/process-engine/transactions-in-processes/#understand-asynchronous-continuations. Output parameters and end listeners are part of the service execution and the state will be persistet afterwards.

Here is a repository, that implements single sign on with the help of spring security: https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso. Maybe it’s a useful inspiration.

Hope this helps, Ingo