DeveloperLife: Identity Management

This time we focus on Business Process Management (BPM) and more precisely on Activiti. Activiti is an open source process engine for Java, that we decided to look into. One of the questions that arose during development was how to assimilate our users and groups into the Activiti platform. Luckily, this is supported by the Activiti engine, but not so well documented (to our knowledge). We have decided to take on the challenge, and create a quick tutorial on how to manage users and groups identity in Activiti (and more precisely Activiti 5.8).

Activiti supports two main entry points that you need to implement in order to integrate your identity solution. These are the user manager and the group manager classes. We will first create a factory for group/user management, and then implement the class that we create in the factory. Lets take a dive into the code, implementing the MyGroupManagerFactory class first:

package my.great.company.com.businessprocessengine.identityservice;

  

import org.activiti.engine.impl.interceptor.Session;

import org.activiti.engine.impl.interceptor.SessionFactory;

import org.activiti.engine.impl.persistence.entity.GroupManager;

  

public class MyGroupManagerFactory implements SessionFactory {

  

    private MyConnectionParams    connectionParams;

  

    public MyGroupManagerFactory(MyConnectionParams params) {

        this.connectionParams = params;

    }

  

    @Override

    public Class<?> getSessionType() {

        return GroupManager.class;

    }

  

    @Override

    public Session openSession() {

        return new MyGroupManager(connectionParams);

    }

}

We will also want to provide a factory for user management classes, so here is the MyUserManagerFactory :

package my.great.company.com.businessprocessengine.identityservice;

  

import org.activiti.engine.impl.interceptor.Session;

import org.activiti.engine.impl.interceptor.SessionFactory;

import org.activiti.engine.impl.persistence.entity.UserManager;

  

public class MyUserManagerFactory implements SessionFactory {

  

    private MyConnectionParams connectionParams;

    

    public MyUserManagerFactory(MyConnectionParams params) {

        this.connectionParams = params;

    }

    

    @Override

    public Class<?> getSessionType() {

      return UserManager.class;

    }

  

    @Override

    public Session openSession() {

      return new MyUserManager(connectionParams);

    }

  

}

As you can see above we assume that we want to get connection prams in the instantiation of the classes (assume MyConnectionParams is a simple POJO, and implement it for your needs). Moreover, you will need the Activiti engine jar file in your classpath.

We now implement MyGroupManager and MyUserManager classes. We did not not detail the entire code, but created an example to show what must be implemented and what you can skip. In MyGroupManager we only implemented the findGroupByQueryCriteria, and findGroupCountByQueryCriteria. Methods that are marked with TODO notation are mandatory in order to work with Activiti core engine. If you want to work with Activity Explorer - implement all the methods.

package my.great.company.com.businessprocessengine.identityservice;
  

import java.util.ArrayList;

import java.util.List;

  

import org.activiti.engine.ActivitiException;

import org.activiti.engine.identity.Group;

import org.activiti.engine.impl.GroupQueryImpl;

import org.activiti.engine.impl.Page;

import org.activiti.engine.impl.persistence.entity.GroupEntity;

import org.activiti.engine.impl.persistence.entity.GroupManager;

import org.apache.commons.lang.StringUtils;

  

public class MyGroupManager extends GroupManager {

  

    

    public MyGroupManager(MyConnectionParams connectionParams) {

        

    }

  

    @Override

    public Group createNewGroup(String groupId) {

        throw new ActivitiException("My group manager doesn't support creating a new group");

    }

  

    @Override

    public void insertGroup(Group group) {

        throw new ActivitiException("My group manager doesn't support inserting a new group");

    }

  

    @Override

    public void updateGroup(Group updatedGroup) {

        throw new ActivitiException("My group manager doesn't support updating a new group");

    }

  

    @Override

    public void deleteGroup(String groupId) {

        throw new ActivitiException("My group manager doesn't support deleting a new group");

    }
  

    @Override

    public long findGroupCountByQueryCriteria(Object query) {

        return findGroupByQueryCriteria(query, null).size();

    }

  

    @Override

    public List<Group> findGroupByQueryCriteria(Object query, Page page) {

        List<Group> groupList = new ArrayList<Group>();

        GroupQueryImpl groupQuery = (GroupQueryImpl) query;

        if (StringUtils.isNotEmpty(groupQuery.getId())) {

            GroupEntity singleGroup = findGroupById(groupQuery.getId());

            groupList.add(singleGroup);

            return groupList;

        } else if (StringUtils.isNotEmpty(groupQuery.getName())) {

            GroupEntity singleGroup = findGroupById(groupQuery.getId());

            groupList.add(singleGroup);

            return groupList;

        } else if (StringUtils.isNotEmpty(groupQuery.getUserId())) {

            return findGroupsByUser(groupQuery.getUserId());

        } else {

            //TODO: get all groups from your identity domain and convert them to List<Group>

            return null;

        } //TODO: you can add other search criteria that will allow extended support using the Activiti engine API

    }

  

    @Override

    public GroupEntity findGroupById(String activitiGroupID) {

        //TODO

        throw new ActivitiException("My group manager doesn't support finding a group");

    }

  

    @Override

    public List<Group> findGroupsByUser(String userLogin) {

        //TODO

        throw new ActivitiException("My group manager doesn't support finding a group");

    }

}

In MyUserManager, we have implemented findUserCountByQueryCriteria and findUserByQueryCriteria. Again - the methods that are marked with TODO notation are mandatory in order to work with Activiti core engine.

package my.great.company.com.businessprocessengine.identityservice;

  

import java.util.ArrayList;

import java.util.List;

  

import org.activiti.engine.ActivitiException;

import org.activiti.engine.identity.User;

import org.activiti.engine.impl.Page;

import org.activiti.engine.impl.UserQueryImpl;

import org.activiti.engine.impl.persistence.entity.UserEntity;

import org.activiti.engine.impl.persistence.entity.UserManager;

import org.apache.commons.lang.StringUtils;

  

public class MyUserManager extends UserManager {

    

    public MyUserManager(MyConnectionParams connectionParams) {

    }

  

    @Override

    public User createNewUser(String userId) {

        throw new ActivitiException("My user manager doesn't support creating a new user");

    }

  

    @Override

    public void insertUser(User user) {

        throw new ActivitiException("My user manager doesn't support inserting a new user");

    }

  

    @Override

    public void updateUser(User updatedUser) {

        throw new ActivitiException("My user manager doesn't support updating a user");

    }

  

    @Override

    public void deleteUser(String userId) {

        throw new ActivitiException("My user manager doesn't support deleting a user");

    }

  

    @Override

    public UserEntity findUserById(String userLogin) {

        //TODO: get my user according to userLogin and convert it to UserEntity

        throw new ActivitiException("My user manager doesn't support finding a user");

    }

  

    @Override

    public List<User> findUserByQueryCriteria(Object query, Page page) {

  

        List<User> userList = new ArrayList<User>();

        UserQueryImpl userQuery = (UserQueryImpl) query;

        if (StringUtils.isNotEmpty(userQuery.getId())) {

            userList.add(findUserById(userQuery.getId()));

            return userList;

        } else if (StringUtils.isNotEmpty(userQuery.getLastName())) {

            userList.add(findUserById(userQuery.getLastName()));

            return userList;

        } else {

            //TODO: get all users from your identity domain and convert them to List<User>

            return null;

        } //TODO: you can add other search criteria that will allow extended support using the Activiti engine API

    }

  

    @Override

    public long findUserCountByQueryCriteria(Object query) {

        return findUserByQueryCriteria(query, null).size();

    }

  

    @Override

    public Boolean checkPassword(String userId, String password) {

        //TODO: check the password in your domain and return the appropriate boolean

        return false;

    }

}

The only thing left to do is to inject (using Spring) our classes to the Activity engine configuration. We will need to inject MyConnectionParams as well as the factories themselves. Find your configuration file and add:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:schemaLocation="http://www.springframework.org/schema/beans   http://www.springframework.org/schema/beans/spring-beans.xsd">

  

    <bean id="processEngineConfiguration" class="org.activiti.spring.SpringProcessEngineConfiguration">

  

        ...

        <property name="customSessionFactories">

            <list>

                <bean

                    class="my.great.company.com.businessprocessengine.identityservice.MyUserManagerFactory">

                    <constructor-arg ref="MyConnectionParams" />

                </bean>

                <bean

                    class="my.great.company.com.businessprocessengine.identityservice.MyGroupManagerFactory">

                    <constructor-arg ref="MyConnectionParams" />

                </bean>

            </list>

        </property>

        ...

    </bean>

   

    <bean id="MyConnectionParams"

        class="my.great.company.com.businessprocessengine.identityservice.MyConnectionParams">

    </bean>

    ...

  

</beans>

That’s it. You can now use your own users and groups to create processes, deploy them, login to the Activiti Explorer or Rest API, etc.

So, here are a few extra pointers about Activiti Identity:

First of all there are 3 predefined group types:

activity-role
assignment
user

Now, no one tells you this, but if you are using Activiti Explorer, and you want your user to have admin privileges (i.e. be able to see the 'manage' tab), then the user's group type must be 'security-role' and the user's group name must be hard coded 'admin'. This means you will need to create some special code hacking for special users to use the Activiti Explorer.
Lets say you created a process that has a user task with a candidate group option (denote said group as X). NOTE: If you start a process instance, than only if the type of the group X is 'assignment' then users that belong to X will be able to claim the task. Otherwise, the user will not be able to claim the task at all.

DeveloperLife

Wednesday, February 15, 2012

Activiti Authentication And Identity Management Tutorial

Followers