Why set groups in AuthenticationResult

hanscrg · April 1, 2021, 4:21am

The sample code SpringSecurityAuthenticationProvider.java at the link below,

camunda-consulting/code/blob/master/snippets/springboot-security-sso/src/main/java/com/camunda/demo/filter/webapp/SpringSecurityAuthenticationProvider.java

package com.camunda.demo.filter.webapp;

import org.camunda.bpm.engine.ProcessEngine;
import org.camunda.bpm.engine.rest.security.auth.AuthenticationResult;
import org.camunda.bpm.engine.rest.security.auth.impl.ContainerBasedAuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;

import javax.servlet.http.HttpServletRequest;
import java.util.List;
import java.util.stream.Collectors;

public class SpringSecurityAuthenticationProvider extends ContainerBasedAuthenticationProvider {

    @Override
    public AuthenticationResult extractAuthenticatedUser(HttpServletRequest request, ProcessEngine engine) {

        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

        if (authentication == null) {

This file has been truncated. show original

there is a line which sets the groups in AuthenticationResult.

My understanding is that the user/group information comes from either existing Identity service which eventually come from Camunda user/group tables or customized identity service. We need to set user name to indicate which user authenticated. Then why set groups in AuthenticationResult? Does Camunda do the authorization based on the group info from AuthenticationResult or from user’s group membership which is from Identify Service (Camunda DB or external IDM)?

system · January 30, 2024, 12:59pm