mswiderski
commented
7 years ago in general the best way is to rely on the default behavior of jBPM that delegates to application server in terms of group/roles information. That is taken out from security context (JACC) that application server establishes after successful logon to the system.
Use of custom callbacks only if the default one does not meet the requirement. In your case using wildfly seems much better approach as it's rather flexible and supports majority of user/role stores with chaining options as well (more than one to be used to retrieve information).
As always, thanks for the Docker containers! Very helpful!
I would like to suggest adding some alternative options for configuring users and roles. My understanding is that jBPM is delegating this to Wildfly but that one could also write a UserGroupCallback which I think needs to go in the jBPM WAR.
My goal is to configure against a database. This seems easier with Wildfly config than with the UserGroupCallback. I have found an example for pointing standalone.xml to a database within a security-domain but nothing regarding security-realms. I have not found a lot of information about how jBPM relies on security-realms versus security-domains but from the Readme, it appears to rely on both. I assume life would be easier if we were using LDAP but in my case, LDAP is not a reliable source of role information.
Any recommendations are appreciated and I will try my best to post back any updates I find!