IdentityService - how to integrate with Spring Security

[erickmelo]

The opportunity to integrate Camunda to Grails through a plugin is amazing. However the integration of it's provided services with Grails application is not fully clear. Usually other plugins such as Spring Security Core, are used in projects. I didn't found in the docs information about how to integrate IdentityService with the authentication provider available in the Grails application (either the Spring Security or other).

This integration exists natively in the camunda plugin? If not, it would be relevant to point the way to how to implement it

[martinschimak]

Hi Erick,

Many thx for your comment. But no, there does not exist any such integration so far. And: I haven't yet digged into that topic myself. If you want to use camunda's identityService behind Spring Security's Authentication, I assume that you would need to implement and configure your own AuthenticationProvider and internally use camunda's identityService to perform user/group lookup through it. Having said that, also be aware that all the camunda's engine API looks at users and groups as simple strings. So, for your own process application using the camunda engine just backstage (and independent from camunda tasklist) you could also use your spring security authentication totally independent from camunda and reference it's users and groups e.g. from your process definition (e.g. via camunda:assignee attributes etc). It's then up to yourself to read and use those values according to the needs of your application.

In case you dig deeper into all that, I'd be happy if you keep me updated about your findings!

Greetings, Martin.

[erickmelo]

Hi Martin,

Thank you for your answer. Internally other Camunda services use IdentityService? I have a custom service that implements methods similar to the IdentityService that is used by other application components.

I could have, for example, just ignore the existence of IdentityService (stop using it)? Or other services depend on it?

Currently we have a BPMN integration into our application through the Activiti plugin. In this case we have a class that implements org.activiti.engine.impl.interceptor.SessionFactory. However we are evaluating migrate our backend BPMN for Camunda.

[meyerdan]

Hi all,

you can implement a custom identity service: http://docs.camunda.org/latest/guides/user-guide/#process-engine-identity-service

You need to provide custom implementations of the ReadOnlyIdentityProvider Interface. http://docs.camunda.org/latest/api-references/javadoc/?org/camunda/bpm/engine/impl/identity/ReadOnlyIdentityProvider.html

[martinschimak]

Hi all, with respect to Ericks other question: my current mental model of camunda would say that it's also possible to safely ignore identityService and just use your very own mechanisms and work with string based user/group id's as far as it comes to using other camunda services than identityService. Is that correct, @meyerdan?

[meyerdan]

Correct. The identity service is a totally optional component.

If you "only" embedd the process engine library for process execution, then the identity service is not used.

If you use the camunda webapplication, then the webapplication will use the identity service as source for users and groups, login, authentication and so forth...

Does this help you?

Daniel

[erickmelo]

Yes.. Thanks you. I only embedd the process engine library for process execution. Also I have a back-end users based on LDAP, then the "camunda webapplication" integration seems to be simple.

My question was related to the plugin. I believe it would be helpful to have a note in the documentation about this situation. I guess it's a recurring question that might make people to not use the plugin. Once again thank you for your attention.

[martinschimak]

Thank you @meyerdan for confirmation - and thanks @erickmelo for contributing your thoughts! (Pull requests - also for the integrated documentation only - are welcome.)