inteligr8/auth-activiti-app-ext
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
39 Commits 5 Branches 23 Tags
d631cc5f122293553be8ca199149cd78dc8e8fda
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Brian M. Long d631cc5f12 externalize only groups that the user should belong to
2025-05-05 13:38:50 -04:00
src
externalize only groups that the user should belong to
2025-05-05 13:38:50 -04:00
.gitignore
initial checkin
2021-07-30 15:37:05 -04:00
COPYING.LESSER.md
add docs
2022-10-03 11:52:09 -04:00
COPYING.md
add docs
2022-10-03 11:52:09 -04:00
pom.xml
externalize only groups that the user should belong to
2025-05-05 13:38:50 -04:00
rad.ps1
refactored for v24+
2025-05-04 20:11:15 -04:00
rad.sh
refactored for v24+
2025-05-04 20:11:15 -04:00
README.md
sync.externalId to externalId
2025-05-05 11:41:49 -04:00

README.md

Auth Extension for APS (Activiti App)

This library was originally created to expand the functionality of Keycloak integration within the Alfresco Process Services (APS) application. It has expanded to support general OAuth, closing gaps that remain in the implementation provided by Alfresco. This is useless for the open source Activiti.

APS delivers SSO capability and that is about it. It has a few shortcomings:

  • The user must already exist in APS, which means they must be sync'd in from LDAP.
  • The user roles are for their session only and not synchronized with APS Organizations. This prevents the user from being included in task candidate group assignments and other group features.

This extension aims to resolve those issues.

Installation

The installation is simple. Just include the JAR in the classpath of your APS application. This is best done by not chaning the activiti-app.war file, but instead including it within the classpath using your web container configuration. For Apache Tomcat, you would add or modify the following context file: conf/Catalina/localhost/activiti-app.xml. Its related contents would be:

<Context>
        <Resources>
                <PostResources base="${catalina.base}/ext" className="org.apache.catalina.webresources.DirResourceSet" webAppMount="/WEB-INF/lib" readOnly="true" />
        </Resources>
</Context>

Notice the use of PostResources instead of PreResources. This library needs to be loaded after the web application. This is the best way to load any other extensions or customization to the Activiti App, including JavaDelegate implementations. If you use the -security switch, you will need to give this path permissions in the catalina.policy file:

grant codeBase "file:${catalina.base}/ext/-" {
	permission java.security.AllPermissions
}

Dependencies

This extension requires the multiext-activiti-app-ext. Without it, APS will fail to startup. It is very small and requires no additional configuration.

Support Matrix

Auth Activiti App Extension Activiti App
v1.0 - v1.2 v1.11.x
v1.3 v1.11.x - v2.x
v2.0+ v24.x+

Configuration

The library is highly configurable. You configure it with properties specified in the activiti-app.properties file, which exists somewhere in the root of the classpath. That is typically in the lib folder. Or you could specify these options with -D switches on startup of the web container. The properties to configure are enumerated in the table below.

This will only work if OAuth is being used. That would be the case if activiti.identity-service.enabled or security.oauth2.authentication.enabled is true.

OAuth Authentication/Authorization

The following properties were added to increase the configurability of the built-in OAuth capabilities of APS. The default in this extension adds the microprofile-jwt scope, which is key to providing groups/roles/entitlements.

Property Default
auth-ext.oauth.scopes openid, profile, email, microprofile-jwt

OAuth Synchronization

The following properties provide the core functionality of this extension. That is role synchronization.

Property Default Description
auth-ext.externalId oauth This will serve as the external ID for users and as the prefix for the external ID of groups created by this extension.
auth-ext.tenant A preselected tenant for all operations in this extension. Only required if there are multiple tenants.
auth-ext.sync.user.createMissing true If the user is authenticated, the user may be created in APS.
auth-ext.sync.user.requireGroup This is only applicable when createMissing is true. If this is unset or the OAuth Authorization Server gives the user the specified group/role, then the user record will be created in APS.
auth-ext.sync.user.clearNewUserGroups true This is only applicable when createMissing is true. All default APS groups will be deleted from the new user record.
auth-ext.sync.group.createMissing true If a filtered and translated OIDC group has no corresponding APS group, a group will be created in APS. See auth-ext.sync.group.capabilities.patterns for whether that group will be an APS Organization or APS Capability.
auth-ext.sync.group.additions true If the user isn't in an APS group but OAuth claims the OIDC group, then add them to it.
auth-ext.sync.group.removals true If the user is in APS group but OAuth claims no OIDC group, then remove them from it.
auth-ext.sync.group.internal false When considering groups for creation or user membership, include internal groups. Internal groups are ones without an externalId.
auth-ext.sync.group.internal.externalize false This is only applicable when internal is true. If an internal group is encountered during the operation of this extension, make it external with the current externalId.
auth-ext.sync.group.tenantize false If a group without a tenant is encountered during the operation of this extension, make it part of the selected tenant.
auth-ext.sync.group.translate.patterns A comma delimited set of regular expression patterns for the translation (reformatting) of authorities.
auth-ext.sync.group.translate.replacements A comma delimited set of regular expression replacement strings for the translation (reformatting) of authorities.
auth-ext.sync.group.include.patterns A comma delimited set of regular expression patterns on what authorities to include. This is processed before translate processing. A blank value includes everything. If anything is specified, then only matches could possibly be included; but could still be excluded explicitly.
auth-ext.sync.group.exclude.patterns A comma delimited set of regular expression patterns on what authorities to exclude. This is processed before translate processing. A blank value excludes nothing. If anything is specified and include is empty, then only matches will be excluded. If both are specified, exclude overrules include matches.
auth-ext.sync.group.capabilities.patterns Superusers A comma delimited set of regular expression patterns on what authorities to associate with APS Capabilities instead of APS Organizations (default).

Authentication Data Fixers

Administrator Password Fixer

Property Default Description
auth-ext.reset.admin.username admin@app.activiti.com
auth-ext.reset.admin.password If set, the user's password will be set to this value on startup; otherwise this fixer is skipped.

Administrator Members Fixer

Property Default Description
auth-ext.default.admins.users A comma delimited list of user emails; fixer is skipped if empty.
auth-ext.group.admins.name Superusers The APS Group (Capability or Organization) to add the specified users to.
auth-ext.group.admins.externalId If specified, this APS Group will be considered before the specified name field.

Administrator Group Fixer

Property Default Description
auth-ext.group.admins.validate false If true, the specified APS Group will be granted all capabilities.
auth-ext.group.admins.name Superusers The APS Group (Capability or Organization) to add the specified users to.
auth-ext.group.admins.externalId If specified, this APS Group will be considered before the specified name field.
Description
No description provided
alfrescoaps
Readme 270 KiB
Languages
Java 94.7%
PowerShell 2.7%
Shell 2.6%