AnsweredAssumed Answered

Activiti Explorer<-> PDP Server

Question asked by matthias1 on Jun 14, 2012

First I thought about posting this into the Explorer-Forum-Part, but since I have to jump deep into the source code and I have to add some parts, I decided to put it here.

So what I am planning to do, is to secure all actions of users inside the activiti explorer through a PDP-Server.
My current work is to prevent users from seeing tasks in the task inbox page if they are not allowed to claim or complete the task. If I would only use the Rules activiti provides (eg. assignee, candidate, group) no changes were needed. But…

I have added Seperation of Duty to the activiti diagram as a security rule and need to enforce this at runtime, too.
So a user starts a process with two tasks, A and B, which have to be executed by two different users. Basically he is allowed to execute A and B, because he is a member of the needed group. But, if he claims A, I want to let B disappear from the inbox page, and the other way round, too, of course.

Right now I am trying to find the right spot in the source code to place my Java Service Loader who will send an evaluation request to the PDP.
I think the class InboxPage of the Explorer is a good start, but I am not quite sure which method actually fills the list for the logged in user by checking his group-memberships. So far I only found the InboxListQuery which checks for assigned users….

I know this is a very special issue, but maybe its an interesting approach for you guys, too ;)

Kind regards,