AnsweredAssumed Answered

Activiti REST Webapp LDAP and Role Authorization

Question asked by gregdavisfromnj on Aug 29, 2014
Latest reply on Aug 30, 2014 by jbarrez
The User Guide shows how to set up LDAP integration for both the Explorer and REST web apps in Chapter 17.  I've succeeded in configuring LDAP authentication for the REST web app against my local ActiveDirectory.  Great.  The User Guide shows how to map Explorer groups/roles to LDAP groups, to provide a multi-level authorization once authenticated.

But, I don't see how to do the same for the REST web app.

That is, once a user's Basic Auth credentials are authenticated via LDAP, any user in the LDAP directory can execute a REST request.  Ideally, I'd like to specify an LDAP group which has privilege to the REST web app.  It seems like that would be analogous to the Explorer "admin group".  Any LDAP user which is not in that LDAP group would get some kind of "forbidden" or 401 error.

Is this possible?  It sounds pretty basic, and not too fancy.

Creating an OU in the LDAP hierarchy specific to ActivitiAdmins and tweaking the baseDn in the Spring configs for the REST web app appropriately might work, but seems like a pretty heavy handed manipulation on the LDAP directory.  That would be a step towards having a separate username/password for each application a person wanted to use, rather than a common username/password to identify the same client thing (a person or another application).