Authorization header - Activiti REST

cancel
Showing results for 
Search instead for 
Did you mean: 
sonalik
Member II

Authorization header - Activiti REST

Hi Team,

I have a query regarding Authorization header set for every Activiti-rest API call.

As per the user guide, this header is mandatory for rest calls or we can pass unameSmiley Tongueass along with the url.
Is there any way we can skip this and directly make the rest call by hitting the url without Authorization or unameSmiley Tongueass ?

We have a requirement for same.

Looking forward for your support as always.

Thanks.

3 Replies
gdharley
Intermediate

Re: Authorization header - Activiti REST

You can easily disable the need for authorization by updating the Spring Security configuration.

If you are using Community Edition (e.g. 5.22.0) this is simply a matter of opening the following file:

activiti-webapp-rest2/src/main/java/org/activiti/rest/conf/SecurityConfiguration.java

Now change the following :

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
   .authenticationProvider(authenticationProvider())
   .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
   .csrf().disable()
   .authorizeRequests()
     .anyRequest().authenticated()
     .and()
   .httpBasic();
}

To:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
   .authenticationProvider(authenticationProvider())
   .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
   .csrf().disable()
   .authorizeRequests().anyRequest().permitAll();
}

If you are using Enterprise Edition, you will need to build your own activiti-app war using the embedded-example available in the product download page. Once you have your custom app, you can customize the security configuration the same way as above.

Hope this helps,
Greg

sonalik
Member II

Re: Authorization header - Activiti REST

Thanks for the solution. It worked for me. But at the same time i am facing another issue related to "initiator".

I have created a process definition, where for start event i have set initiator. So when the Authorization header was set the initiator was automatically assigned to the user mentioned in header.

For example below is the sample json POST request to start a process:-

Authorization:kermit/kermit

{
"processDefinitionKey":"sample-process",
"businessKey":"sample123"
}

Here the initiator=kermit (automatically set)

But now when the header is not set, i am not able to set the initiator (or not able to start process using user)

{
"processDefinitionKey":"sample-process",
"businessKey":"sample123"
}

I tried setting "initiator" in the 2nd json call but the process started with blank START_USER_ID_ (DB column in act_hi_procinst table)

Can you please help which additional attribute is required in the JSON call in order to set the starter/initiator for a process instance?

Looking forward for your support as always.

Thanks,

Sonali

gdharley
Intermediate

Re: Authorization header - Activiti REST

Ok, so you have run across the downside of not requiring authorization.

The createProcessInstance method (used to start an instance) takes the "initiator" from the Activiti Authentication provider.

    String authenticatedUserId = Authentication.getAuthenticatedUserId();

    String initiatorVariableName = (String) getProperty(BpmnParse.PROPERTYNAME_INITIATOR_VARIABLE_NAME);

    if (initiatorVariableName!=null) {

      processInstance.setVariable(initiatorVariableName, authenticatedUserId);

    }

    if (authenticatedUserId != null) {

      processInstance.addIdentityLink(authenticatedUserId, null, IdentityLinkType.STARTER);

    }

So, if you dont have any authentication you will need another way of setting the current user. Perhaps a header.

Then, you will need to add  your own custom Authentication and userdetails service.

Unfortunately, you cant have it both ways.

Greg