We are using the process engine embedded in a spring boot application, and are starting to add method-level authorization annotations (e.g., @PreAuthorize) to our service layers.
- If an end user submits a task, and there is no “async after” configured in the process definition, will spring’s security context be propagated to any service task/listener/… that occurs after the user task (until another wait state is encountered, of course)?
- For a user task with an “async after”, are output parameters and end listeners part of the task submit? Will they be executed within the security context of the original user?
- If there is an “async after”, and the job executor kicks in, is it possible to inject a security context, such that service tasks/listeners can invoke secured methods?
- Is there any documentation, examples, best practices, etc. on combining the Camunda process engine with Spring security?
Note that I am not asking about integrating the webapps (cockpit, tasklist) with spring security or implementing a custom IdentityProvider.