AnsweredAssumed Answered

Authentication without REST

Question asked by gant on Jul 15, 2011
Latest reply on Jul 15, 2011 by ronald.van.kuijk

Using the REST-API, the user has to login to do any action on the engine. As I have seen, no authentication/authorisation at all is needed when using the Java-API directly. I'd like to achieve the following goals:

  • Only existing users can start process instances an the userId is stored in START_USER_ID_ of act_hi_procinst (value is null, if I start an instance through the API).

  • Only the user assigned to a task can complete a task (and some admin users with special permissions)
Any suggestions on how to do this best would be appreciated.

In Javadoc I read about the methods checkPassword(userId,pwd), that I could use, to check, if a user exists (to authenticate it). Then I could use setAuthenticatedUser(userId), which would cause that START_USER_ID_ would be set, if I understand this correctly. But how to prevent not authorized users from starting instances and how to prevent completeing of tasks by 'guerilla-users'?