Class DefaultAuthorizationProvider
- java.lang.Object
-
- org.camunda.bpm.engine.impl.cfg.auth.DefaultAuthorizationProvider
-
- All Implemented Interfaces:
ResourceAuthorizationProvider
public class DefaultAuthorizationProvider extends java.lang.Object implements ResourceAuthorizationProvider
Provides the default authorizations for Camunda Platform.
- Author:
- Daniel Meyer
-
-
Constructor Summary
Constructors Constructor Description DefaultAuthorizationProvider()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
addPermissions(AuthorizationEntity authorization, Permission... permissions)
protected boolean
areIdsEqual(java.lang.String firstId, java.lang.String secondId)
protected AuthorizationEntity
createAuthorization(java.lang.String userId, java.lang.String groupId, Resource resource, java.lang.String resourceId, Permission... permissions)
protected AuthorizationEntity
createGrantAuthorization(java.lang.String userId, java.lang.String groupId, Resource resource, java.lang.String resourceId, Permission... permissions)
protected AuthorizationEntity
createOrUpdateAuthorization(Task task, java.lang.String userId, java.lang.String groupId, Resource resource, boolean isHistoric, Permission... permissions)
protected AuthorizationEntity[]
createOrUpdateAuthorizations(Task task, java.lang.String groupId, java.lang.String userId)
(1) Fetch existing runtime & history authorizations (2) Update authorizations: (2a) fetched authorization == null -> create a new runtime authorization (with READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled) -> create a new history authorization (with READ on HISTORIC_TASK) (2b) fetched authorization != null -> Add READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled UPDATE or TASK_WORK permission is configurable in camunda.cfg.xml and by default, UPDATE permission is provided -> Add READ on HISTORIC_TASKprotected AuthorizationEntity[]
createOrUpdateAuthorizationsByGroupId(Task task, java.lang.String groupId)
protected AuthorizationEntity[]
createOrUpdateAuthorizationsByUserId(Task task, java.lang.String userId)
AuthorizationEntity[]
deleteTaskGroupIdentityLink(Task task, java.lang.String groupId, java.lang.String type)
Invoked whenever a group identity link of a task has been deleted.AuthorizationEntity[]
deleteTaskUserIdentityLink(Task task, java.lang.String userId, java.lang.String type)
Invoked whenever a user identity link of a task has been deleted.protected HistoryEvent
findHistoricProcessInstance(java.lang.String rootProcessInstanceId)
protected AuthorizationManager
getAuthorizationManager()
protected Permission
getDefaultUserPermissionForTask()
protected AuthorizationEntity
getGrantAuthorization(java.lang.String taskId, java.lang.String userId, java.lang.String groupId, Resource resource)
protected AuthorizationEntity
getGrantAuthorizationByGroupId(java.lang.String groupId, Resource resource, java.lang.String resourceId)
protected AuthorizationEntity
getGrantAuthorizationByUserId(java.lang.String userId, Resource resource, java.lang.String resourceId)
protected Permission[]
getHistoricPermissions(boolean enforceSpecificVariablePermission)
protected java.lang.String
getHistoryRemovalTimeStrategy()
protected java.lang.String
getRootProcessInstanceId(Task task)
protected Permission[]
getRuntimePermissions(boolean enforceSpecificVariablePermission)
AuthorizationEntity[]
groupMembershipCreated(java.lang.String groupId, java.lang.String userId)
Invoked whenever a user is added to a groupprotected boolean
hasEntitySameAuthorizationRights(AuthorizationEntity authEntity, java.lang.String userId, java.lang.String groupId, Resource resource, java.lang.String resourceId)
protected boolean
isEnforceSpecificVariablePermission()
protected boolean
isHistoricInstancePermissionsEnabled()
protected boolean
isHistoryRemovalTimeStrategyStart()
AuthorizationEntity[]
newDecisionDefinition(DecisionDefinition decisionDefinition)
Invoked whenever a new decision definition is created.AuthorizationEntity[]
newDecisionRequirementsDefinition(DecisionRequirementsDefinition decisionRequirementsDefinition)
Invoked whenever a new decision requirements definition is created.AuthorizationEntity[]
newDeployment(Deployment deployment)
Invoked whenever a new deployment is createdAuthorizationEntity[]
newFilter(Filter filter)
Invoked whenever a new filter is createdAuthorizationEntity[]
newGroup(Group group)
Invoked whenever a new group is createdAuthorizationEntity[]
newProcessDefinition(ProcessDefinition processDefinition)
Invoked whenever a new process definition is createdAuthorizationEntity[]
newProcessInstance(ProcessInstance processInstance)
Invoked whenever a new process instance is startedAuthorizationEntity[]
newTask(Task task)
Invoked whenever a new task is createdAuthorizationEntity[]
newTaskAssignee(Task task, java.lang.String oldAssignee, java.lang.String newAssignee)
Invoked whenever an user has been assigned to a task.AuthorizationEntity[]
newTaskGroupIdentityLink(Task task, java.lang.String groupId, java.lang.String type)
Invoked whenever a new group identity link has been added to a task.AuthorizationEntity[]
newTaskOwner(Task task, java.lang.String oldOwner, java.lang.String newOwner)
Invoked whenever an user has been set as the owner of a task.AuthorizationEntity[]
newTaskUserIdentityLink(Task task, java.lang.String userId, java.lang.String type)
Invoked whenever a new user identity link has been added to a task.AuthorizationEntity[]
newTenant(Tenant tenant)
Invoked whenever a new tenant is createdAuthorizationEntity[]
newUser(User user)
Invoked whenever a new user is createdprotected void
provideRemovalTime(AuthorizationEntity authorization, Task task)
AuthorizationEntity[]
tenantMembershipCreated(Tenant tenant, Group group)
Invoked whenever a group is added to a tenant.AuthorizationEntity[]
tenantMembershipCreated(Tenant tenant, User user)
Invoked whenever an user is added to a tenant.protected void
updateAuthorizationBasedOnCacheEntries(AuthorizationEntity authorization, java.lang.String userId, java.lang.String groupId, Resource resource, java.lang.String resourceId)
Searches through the cache, if there is already an authorization with same rights.
-
-
-
Method Detail
-
newUser
public AuthorizationEntity[] newUser(User user)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new user is created
- Specified by:
newUser
in interfaceResourceAuthorizationProvider
- Parameters:
user
- a newly created user- Returns:
- a list of authorizations to be automatically added when a new user is created.
-
newGroup
public AuthorizationEntity[] newGroup(Group group)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new group is created
- Specified by:
newGroup
in interfaceResourceAuthorizationProvider
- Parameters:
group
- a newly createdGroup
- Returns:
- a list of authorizations to be automatically added when a new
Group
is created.
-
newTenant
public AuthorizationEntity[] newTenant(Tenant tenant)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new tenant is created
- Specified by:
newTenant
in interfaceResourceAuthorizationProvider
- Parameters:
tenant
- a newly createdTenant
- Returns:
- a list of authorizations to be automatically added when a new
Tenant
is created.
-
groupMembershipCreated
public AuthorizationEntity[] groupMembershipCreated(java.lang.String groupId, java.lang.String userId)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a user is added to a group
- Specified by:
groupMembershipCreated
in interfaceResourceAuthorizationProvider
- Parameters:
groupId
- the id of the group to which the user is addeduserId
- the id of the user who is added to a group a newly createdUser
- Returns:
- a list of authorizations to be automatically added when a new
User
is created.
-
tenantMembershipCreated
public AuthorizationEntity[] tenantMembershipCreated(Tenant tenant, User user)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever an user is added to a tenant.
- Specified by:
tenantMembershipCreated
in interfaceResourceAuthorizationProvider
- Parameters:
tenant
- the id of the tenant- Returns:
- a list of authorizations to be automatically added when a new membership is created.
-
tenantMembershipCreated
public AuthorizationEntity[] tenantMembershipCreated(Tenant tenant, Group group)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a group is added to a tenant.
- Specified by:
tenantMembershipCreated
in interfaceResourceAuthorizationProvider
- Parameters:
tenant
- the id of the tenant- Returns:
- a list of authorizations to be automatically added when a new membership is created.
-
newFilter
public AuthorizationEntity[] newFilter(Filter filter)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new filter is created
- Specified by:
newFilter
in interfaceResourceAuthorizationProvider
- Parameters:
filter
- the newly created filter- Returns:
- a list of authorizations to be automatically added when a new
Filter
is created.
-
newDeployment
public AuthorizationEntity[] newDeployment(Deployment deployment)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new deployment is created
- Specified by:
newDeployment
in interfaceResourceAuthorizationProvider
- Parameters:
deployment
- the newly created deployment- Returns:
- a list of authorizations to be automatically added when a new
Deployment
is created.
-
newProcessDefinition
public AuthorizationEntity[] newProcessDefinition(ProcessDefinition processDefinition)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new process definition is created
- Specified by:
newProcessDefinition
in interfaceResourceAuthorizationProvider
- Parameters:
processDefinition
- the newly created process definition- Returns:
- a list of authorizations to be automatically added when a new
ProcessDefinition
is created.
-
newProcessInstance
public AuthorizationEntity[] newProcessInstance(ProcessInstance processInstance)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new process instance is started
- Specified by:
newProcessInstance
in interfaceResourceAuthorizationProvider
- Parameters:
processInstance
- the newly started process instance- Returns:
- a list of authorizations to be automatically added when a new
ProcessInstance
is started.
-
newTask
public AuthorizationEntity[] newTask(Task task)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new task is created
- Specified by:
newTask
in interfaceResourceAuthorizationProvider
- Parameters:
task
- the newly created task- Returns:
- a list of authorizations to be automatically added when a new
Task
is created.
-
newTaskAssignee
public AuthorizationEntity[] newTaskAssignee(Task task, java.lang.String oldAssignee, java.lang.String newAssignee)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever an user has been assigned to a task.
- Specified by:
newTaskAssignee
in interfaceResourceAuthorizationProvider
- Parameters:
task
- the task on which the assignee has been changedoldAssignee
- the old assignee of the tasknewAssignee
- the new assignee of the task- Returns:
- a list of authorizations to be automatically added when an assignee of a task changes.
-
newTaskOwner
public AuthorizationEntity[] newTaskOwner(Task task, java.lang.String oldOwner, java.lang.String newOwner)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever an user has been set as the owner of a task.
- Specified by:
newTaskOwner
in interfaceResourceAuthorizationProvider
- Parameters:
task
- the task on which the owner has been changedoldOwner
- the old owner of the tasknewOwner
- the new owner of the task- Returns:
- a list of authorizations to be automatically added when the owner of a task changes.
-
newTaskUserIdentityLink
public AuthorizationEntity[] newTaskUserIdentityLink(Task task, java.lang.String userId, java.lang.String type)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new user identity link has been added to a task.
- Specified by:
newTaskUserIdentityLink
in interfaceResourceAuthorizationProvider
- Parameters:
task
- the task on which a new identity link has been addeduserId
- the user for which the identity link has been createdtype
- the type of the identity link (e.g.IdentityLinkType.CANDIDATE
)- Returns:
- a list of authorizations to be automatically added when a new user identity link has been added.
-
newTaskGroupIdentityLink
public AuthorizationEntity[] newTaskGroupIdentityLink(Task task, java.lang.String groupId, java.lang.String type)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new group identity link has been added to a task.
- Specified by:
newTaskGroupIdentityLink
in interfaceResourceAuthorizationProvider
- Parameters:
task
- the task on which a new identity link has been addedgroupId
- the group for which the identity link has been createdtype
- the type of the identity link (e.g.IdentityLinkType.CANDIDATE
)- Returns:
- a list of authorizations to be automatically added when a new group identity link has been added.
-
deleteTaskUserIdentityLink
public AuthorizationEntity[] deleteTaskUserIdentityLink(Task task, java.lang.String userId, java.lang.String type)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a user identity link of a task has been deleted.
- Specified by:
deleteTaskUserIdentityLink
in interfaceResourceAuthorizationProvider
- Parameters:
task
- the task on which the identity link has been deleteduserId
- the user for which the identity link has been deletedtype
- the type of the identity link (e.g.IdentityLinkType.CANDIDATE
)- Returns:
- a list of authorizations to be automatically deleted when a user identity link has been deleted.
-
deleteTaskGroupIdentityLink
public AuthorizationEntity[] deleteTaskGroupIdentityLink(Task task, java.lang.String groupId, java.lang.String type)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a group identity link of a task has been deleted.
- Specified by:
deleteTaskGroupIdentityLink
in interfaceResourceAuthorizationProvider
- Parameters:
task
- the task on which the identity link has been deletedgroupId
- the group for which the identity link has been deletedtype
- the type of the identity link (e.g.IdentityLinkType.CANDIDATE
)- Returns:
- a list of authorizations to be automatically deleted when a group identity link has been deleted.
-
newDecisionDefinition
public AuthorizationEntity[] newDecisionDefinition(DecisionDefinition decisionDefinition)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new decision definition is created.
- Specified by:
newDecisionDefinition
in interfaceResourceAuthorizationProvider
- Parameters:
decisionDefinition
- the newly created decision definition- Returns:
- a list of authorizations to be automatically added when a new
DecisionDefinition
is created.
-
newDecisionRequirementsDefinition
public AuthorizationEntity[] newDecisionRequirementsDefinition(DecisionRequirementsDefinition decisionRequirementsDefinition)
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new decision requirements definition is created.
- Specified by:
newDecisionRequirementsDefinition
in interfaceResourceAuthorizationProvider
- Parameters:
decisionRequirementsDefinition
- the newly created decision requirements definition- Returns:
- a list of authorizations to be automatically added when a new
DecisionRequirementsDefinition
is created.
-
createOrUpdateAuthorizationsByGroupId
protected AuthorizationEntity[] createOrUpdateAuthorizationsByGroupId(Task task, java.lang.String groupId)
-
createOrUpdateAuthorizationsByUserId
protected AuthorizationEntity[] createOrUpdateAuthorizationsByUserId(Task task, java.lang.String userId)
-
createOrUpdateAuthorizations
protected AuthorizationEntity[] createOrUpdateAuthorizations(Task task, java.lang.String groupId, java.lang.String userId)
(1) Fetch existing runtime & history authorizations (2) Update authorizations: (2a) fetched authorization == null -> create a new runtime authorization (with READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled) -> create a new history authorization (with READ on HISTORIC_TASK) (2b) fetched authorization != null -> Add READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled UPDATE or TASK_WORK permission is configurable in camunda.cfg.xml and by default, UPDATE permission is provided -> Add READ on HISTORIC_TASK
-
createOrUpdateAuthorization
protected AuthorizationEntity createOrUpdateAuthorization(Task task, java.lang.String userId, java.lang.String groupId, Resource resource, boolean isHistoric, Permission... permissions)
-
provideRemovalTime
protected void provideRemovalTime(AuthorizationEntity authorization, Task task)
-
getRootProcessInstanceId
protected java.lang.String getRootProcessInstanceId(Task task)
-
isHistoryRemovalTimeStrategyStart
protected boolean isHistoryRemovalTimeStrategyStart()
-
getHistoryRemovalTimeStrategy
protected java.lang.String getHistoryRemovalTimeStrategy()
-
findHistoricProcessInstance
protected HistoryEvent findHistoricProcessInstance(java.lang.String rootProcessInstanceId)
-
getHistoricPermissions
protected Permission[] getHistoricPermissions(boolean enforceSpecificVariablePermission)
-
getRuntimePermissions
protected Permission[] getRuntimePermissions(boolean enforceSpecificVariablePermission)
-
isHistoricInstancePermissionsEnabled
protected boolean isHistoricInstancePermissionsEnabled()
-
getAuthorizationManager
protected AuthorizationManager getAuthorizationManager()
-
getGrantAuthorization
protected AuthorizationEntity getGrantAuthorization(java.lang.String taskId, java.lang.String userId, java.lang.String groupId, Resource resource)
-
getGrantAuthorizationByUserId
protected AuthorizationEntity getGrantAuthorizationByUserId(java.lang.String userId, Resource resource, java.lang.String resourceId)
-
getGrantAuthorizationByGroupId
protected AuthorizationEntity getGrantAuthorizationByGroupId(java.lang.String groupId, Resource resource, java.lang.String resourceId)
-
createAuthorization
protected AuthorizationEntity createAuthorization(java.lang.String userId, java.lang.String groupId, Resource resource, java.lang.String resourceId, Permission... permissions)
-
addPermissions
protected void addPermissions(AuthorizationEntity authorization, Permission... permissions)
-
createGrantAuthorization
protected AuthorizationEntity createGrantAuthorization(java.lang.String userId, java.lang.String groupId, Resource resource, java.lang.String resourceId, Permission... permissions)
-
getDefaultUserPermissionForTask
protected Permission getDefaultUserPermissionForTask()
-
isEnforceSpecificVariablePermission
protected boolean isEnforceSpecificVariablePermission()
-
updateAuthorizationBasedOnCacheEntries
protected void updateAuthorizationBasedOnCacheEntries(AuthorizationEntity authorization, java.lang.String userId, java.lang.String groupId, Resource resource, java.lang.String resourceId)
Searches through the cache, if there is already an authorization with same rights. If that's the case update the given authorization with the permissions and remove the old one from the cache.
-
hasEntitySameAuthorizationRights
protected boolean hasEntitySameAuthorizationRights(AuthorizationEntity authEntity, java.lang.String userId, java.lang.String groupId, Resource resource, java.lang.String resourceId)
-
areIdsEqual
protected boolean areIdsEqual(java.lang.String firstId, java.lang.String secondId)
-
-