AnsweredAssumed Answered

Rest Endpoint Security Override

Question asked by paulrda on Sep 15, 2016
Latest reply on Sep 19, 2016 by paulrda
we are using Activiti Enterprise version 1.4.1. to improve our security we are planing to use token base authentication for public rest endpoints which is secured using Basic Authentication.Im new to Activiti development So i referred developer documentation and now need to override rest endpoint basic Authentication security. As explained in Developer documentation section, "12.1.1. REST Endpoints security override" i managed to create a extension but for testing purposes i reimplemented Basic Authentication.  i followed these steps
1. create a spring boot project
2. added neccessory dependancies
3. created package com.activiti.extension.bean
4. created a class and implemented AlfrescoApiSecurityOverride

MySecurityOverride

public class MySecurityOverride implements AlfrescoApiSecurityOverride {

    @Bean
    public AuthenticationProvider authenticationProvider() {
      return new MyAuthenticationProvider();
    }
   
   public void configure(HttpSecurity http) throws Exception {
          http
        .authenticationProvider(authenticationProvider())
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
        .csrf().disable()
        .authorizeRequests()
          .anyRequest().authenticated()
          .and()
        .httpBasic();      
   }
}


MyAuthentication provider class
(For testing purposes i implemented Basic Authentication)

public class MyAuthenticationProvider implements AuthenticationProvider{

     @Autowired
     private IdentityService identityService;
    
   public Authentication authenticate(Authentication authentication) throws AuthenticationException {

         String name = authentication.getName();
         String password = authentication.getCredentials().toString();

         boolean authenticated = identityService.checkPassword(name, password);
         List<String> userkeys = identityService.getUserInfoKeys("admin@app.activiti.com");
         if (authenticated) {
           List<Group> groups = identityService.createGroupQuery().groupMember(name).list();
           Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
           for (Group group : groups) {
               grantedAuthorities.add(new SimpleGrantedAuthority(group.getId()));
           }
           identityService.setAuthenticatedUserId(name);
          
           //GrantedAuthorityImpl grantedAdmin = new GrantedAuthorityImpl("ROLE_ADMIN");
           //Collection<GrantedAuthority> grantedtest = new ArrayList();
           //grantedtest.add(grantedAdmin);
           return new UsernamePasswordAuthenticationToken(name, password, grantedtest);
         } else {
           throw new BadCredentialsException("Authentication failed for this username and password");
         }
   }

   public boolean supports(Class<?> authentication) {
      Boolean returnval = authentication.equals(UsernamePasswordAuthenticationToken.class);
      return returnval;
   }
}


Problem is :
After implementing AlfrescoApiSecurityOverride interface i cant login to system using Activiti-app login page. browser gives a login prompt to add username and password at login page. after adding credentials to bowser login prompt i can go to activiti Home page. if i want to logout from the system, it gives this error. this seems like i cant override only public rest api endpoint security using AlfrescoApiSecurityOverride interface.
org.springframework.web.servlet.PageNotFound  - No mapping found for HTTP request with URI [/activiti-app/app/logout] in DispatcherServlet with name 'appDispatcher'


right now im focusing on isolating activiti public rest api endpoint security. i only want to override security of public rest apis. Did i miss something. could you guide me to solve this problem?

Best Regards
Paul



Outcomes