Package org.camunda.bpm.engine.impl.cfg.auth

Class DefaultAuthorizationProvider

java.lang.Object

org.camunda.bpm.engine.impl.cfg.auth.DefaultAuthorizationProvider

All Implemented Interfaces:

ResourceAuthorizationProvider

public class DefaultAuthorizationProvider
extends Object
implements ResourceAuthorizationProvider

Provides the default authorizations for Camunda Platform.

Author:

Daniel Meyer

Constructor Summary

Constructors

Constructor	Description
DefaultAuthorizationProvider()

Method Summary

Modifier and Type	Method	Description
protected void	addPermissions(AuthorizationEntity authorization, Permission... permissions)
protected boolean	areIdsEqual(String firstId, String secondId)
protected AuthorizationEntity	createAuthorization(String userId, String groupId, Resource resource, String resourceId, Permission... permissions)
protected AuthorizationEntity	createGrantAuthorization(String userId, String groupId, Resource resource, String resourceId, Permission... permissions)
protected AuthorizationEntity	createOrUpdateAuthorization(Task task, String userId, String groupId, Resource resource, boolean isHistoric, Permission... permissions)
protected AuthorizationEntity[]	createOrUpdateAuthorizations(Task task, String groupId, String userId)	(1) Fetch existing runtime & history authorizations (2) Update authorizations: (2a) fetched authorization == null -> create a new runtime authorization (with READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled) -> create a new history authorization (with READ on HISTORIC_TASK) (2b) fetched authorization != null -> Add READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled UPDATE or TASK_WORK permission is configurable in camunda.cfg.xml and by default, UPDATE permission is provided -> Add READ on HISTORIC_TASK
protected AuthorizationEntity[]	createOrUpdateAuthorizationsByGroupId(Task task, String groupId)
protected AuthorizationEntity[]	createOrUpdateAuthorizationsByUserId(Task task, String userId)
AuthorizationEntity[]	deleteTaskGroupIdentityLink(Task task, String groupId, String type)	Invoked whenever a group identity link of a task has been deleted.
AuthorizationEntity[]	deleteTaskUserIdentityLink(Task task, String userId, String type)	Invoked whenever a user identity link of a task has been deleted.
protected HistoryEvent	findHistoricProcessInstance(String rootProcessInstanceId)
protected AuthorizationManager	getAuthorizationManager()
protected Permission	getDefaultUserPermissionForTask()
protected AuthorizationEntity	getGrantAuthorization(String taskId, String userId, String groupId, Resource resource)
protected AuthorizationEntity	getGrantAuthorizationByGroupId(String groupId, Resource resource, String resourceId)
protected AuthorizationEntity	getGrantAuthorizationByUserId(String userId, Resource resource, String resourceId)
protected Permission[]	getHistoricPermissions(boolean enforceSpecificVariablePermission)
protected String	getHistoryRemovalTimeStrategy()
protected String	getRootProcessInstanceId(Task task)
protected Permission[]	getRuntimePermissions(boolean enforceSpecificVariablePermission)
AuthorizationEntity[]	groupMembershipCreated(String groupId, String userId)	Invoked whenever a user is added to a group
protected boolean	hasEntitySameAuthorizationRights(AuthorizationEntity authEntity, String userId, String groupId, Resource resource, String resourceId)
protected boolean	isEnforceSpecificVariablePermission()
protected boolean	isHistoricInstancePermissionsEnabled()
protected boolean	isHistoryRemovalTimeStrategyStart()
AuthorizationEntity[]	newDecisionDefinition(DecisionDefinition decisionDefinition)	Invoked whenever a new decision definition is created.
AuthorizationEntity[]	newDecisionRequirementsDefinition(DecisionRequirementsDefinition decisionRequirementsDefinition)	Invoked whenever a new decision requirements definition is created.
AuthorizationEntity[]	newDeployment(Deployment deployment)	Invoked whenever a new deployment is created
AuthorizationEntity[]	newFilter(Filter filter)	Invoked whenever a new filter is created
AuthorizationEntity[]	newGroup(Group group)	Invoked whenever a new group is created
AuthorizationEntity[]	newProcessDefinition(ProcessDefinition processDefinition)	Invoked whenever a new process definition is created
AuthorizationEntity[]	newProcessInstance(ProcessInstance processInstance)	Invoked whenever a new process instance is started
AuthorizationEntity[]	newTask(Task task)	Invoked whenever a new task is created
AuthorizationEntity[]	newTaskAssignee(Task task, String oldAssignee, String newAssignee)	Invoked whenever an user has been assigned to a task.
AuthorizationEntity[]	newTaskGroupIdentityLink(Task task, String groupId, String type)	Invoked whenever a new group identity link has been added to a task.
AuthorizationEntity[]	newTaskOwner(Task task, String oldOwner, String newOwner)	Invoked whenever an user has been set as the owner of a task.
AuthorizationEntity[]	newTaskUserIdentityLink(Task task, String userId, String type)	Invoked whenever a new user identity link has been added to a task.
AuthorizationEntity[]	newTenant(Tenant tenant)	Invoked whenever a new tenant is created
AuthorizationEntity[]	newUser(User user)	Invoked whenever a new user is created
protected void	provideRemovalTime(AuthorizationEntity authorization, Task task)
AuthorizationEntity[]	tenantMembershipCreated(Tenant tenant, Group group)	Invoked whenever a group is added to a tenant.
AuthorizationEntity[]	tenantMembershipCreated(Tenant tenant, User user)	Invoked whenever an user is added to a tenant.
protected void	updateAuthorizationBasedOnCacheEntries(AuthorizationEntity authorization, String userId, String groupId, Resource resource, String resourceId)	Searches through the cache, if there is already an authorization with same rights.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

DefaultAuthorizationProvider

public DefaultAuthorizationProvider()

Method Details

newUser

public AuthorizationEntity[] newUser(User user)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a new user is created

Specified by:

newUser in interface ResourceAuthorizationProvider

Parameters:

user - a newly created user

Returns:

a list of authorizations to be automatically added when a new user is created.

newGroup

public AuthorizationEntity[] newGroup(Group group)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a new group is created

Specified by:

newGroup in interface ResourceAuthorizationProvider

Parameters:

group - a newly created Group

Returns:

a list of authorizations to be automatically added when a new Group is created.

newTenant

public AuthorizationEntity[] newTenant(Tenant tenant)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a new tenant is created

Specified by:

newTenant in interface ResourceAuthorizationProvider

Parameters:

tenant - a newly created Tenant

Returns:

a list of authorizations to be automatically added when a new Tenant is created.

groupMembershipCreated

public AuthorizationEntity[] groupMembershipCreated(String groupId,
 String userId)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a user is added to a group

Specified by:

groupMembershipCreated in interface ResourceAuthorizationProvider

Parameters:

groupId - the id of the group to which the user is added

userId - the id of the user who is added to a group a newly created User

Returns:

a list of authorizations to be automatically added when a new User is created.

tenantMembershipCreated

public AuthorizationEntity[] tenantMembershipCreated(Tenant tenant,
 User user)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever an user is added to a tenant.

Specified by:

tenantMembershipCreated in interface ResourceAuthorizationProvider

Parameters:

tenant - the id of the tenant

Returns:

a list of authorizations to be automatically added when a new membership is created.

tenantMembershipCreated

public AuthorizationEntity[] tenantMembershipCreated(Tenant tenant,
 Group group)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a group is added to a tenant.

Specified by:

tenantMembershipCreated in interface ResourceAuthorizationProvider

Parameters:

tenant - the id of the tenant

Returns:

a list of authorizations to be automatically added when a new membership is created.

newFilter

public AuthorizationEntity[] newFilter(Filter filter)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a new filter is created

Specified by:

newFilter in interface ResourceAuthorizationProvider

Parameters:

filter - the newly created filter

Returns:

a list of authorizations to be automatically added when a new Filter is created.

newDeployment

public AuthorizationEntity[] newDeployment(Deployment deployment)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a new deployment is created

Specified by:

newDeployment in interface ResourceAuthorizationProvider

Parameters:

deployment - the newly created deployment

Returns:

a list of authorizations to be automatically added when a new Deployment is created.

newProcessDefinition

public AuthorizationEntity[] newProcessDefinition(ProcessDefinition processDefinition)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a new process definition is created

Specified by:

newProcessDefinition in interface ResourceAuthorizationProvider

Parameters:

processDefinition - the newly created process definition

Returns:

a list of authorizations to be automatically added when a new ProcessDefinition is created.

newProcessInstance

public AuthorizationEntity[] newProcessInstance(ProcessInstance processInstance)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a new process instance is started

Specified by:

newProcessInstance in interface ResourceAuthorizationProvider

Parameters:

processInstance - the newly started process instance

Returns:

a list of authorizations to be automatically added when a new ProcessInstance is started.

newTask

public AuthorizationEntity[] newTask(Task task)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a new task is created

Specified by:

newTask in interface ResourceAuthorizationProvider

Parameters:

task - the newly created task

Returns:

a list of authorizations to be automatically added when a new Task is created.

newTaskAssignee

public AuthorizationEntity[] newTaskAssignee(Task task,
 String oldAssignee,
 String newAssignee)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever an user has been assigned to a task.

Specified by:

newTaskAssignee in interface ResourceAuthorizationProvider

Parameters:

task - the task on which the assignee has been changed

oldAssignee - the old assignee of the task

newAssignee - the new assignee of the task

Returns:

a list of authorizations to be automatically added when an assignee of a task changes.

newTaskOwner

public AuthorizationEntity[] newTaskOwner(Task task,
 String oldOwner,
 String newOwner)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever an user has been set as the owner of a task.

Specified by:

newTaskOwner in interface ResourceAuthorizationProvider

Parameters:

task - the task on which the owner has been changed

oldOwner - the old owner of the task

newOwner - the new owner of the task

Returns:

a list of authorizations to be automatically added when the owner of a task changes.

newTaskUserIdentityLink

public AuthorizationEntity[] newTaskUserIdentityLink(Task task,
 String userId,
 String type)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a new user identity link has been added to a task.

Specified by:

newTaskUserIdentityLink in interface ResourceAuthorizationProvider

Parameters:

task - the task on which a new identity link has been added

userId - the user for which the identity link has been created

type - the type of the identity link (e.g. IdentityLinkType.CANDIDATE)

Returns:

a list of authorizations to be automatically added when a new user identity link has been added.

newTaskGroupIdentityLink

public AuthorizationEntity[] newTaskGroupIdentityLink(Task task,
 String groupId,
 String type)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a new group identity link has been added to a task.

Specified by:

newTaskGroupIdentityLink in interface ResourceAuthorizationProvider

Parameters:

task - the task on which a new identity link has been added

groupId - the group for which the identity link has been created

type - the type of the identity link (e.g. IdentityLinkType.CANDIDATE)

Returns:

a list of authorizations to be automatically added when a new group identity link has been added.

deleteTaskUserIdentityLink

public AuthorizationEntity[] deleteTaskUserIdentityLink(Task task,
 String userId,
 String type)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a user identity link of a task has been deleted.

Specified by:

deleteTaskUserIdentityLink in interface ResourceAuthorizationProvider

Parameters:

task - the task on which the identity link has been deleted

userId - the user for which the identity link has been deleted

type - the type of the identity link (e.g. IdentityLinkType.CANDIDATE)

Returns:

a list of authorizations to be automatically deleted when a user identity link has been deleted.

deleteTaskGroupIdentityLink

public AuthorizationEntity[] deleteTaskGroupIdentityLink(Task task,
 String groupId,
 String type)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a group identity link of a task has been deleted.

Specified by:

deleteTaskGroupIdentityLink in interface ResourceAuthorizationProvider

Parameters:

task - the task on which the identity link has been deleted

groupId - the group for which the identity link has been deleted

type - the type of the identity link (e.g. IdentityLinkType.CANDIDATE)

Returns:

a list of authorizations to be automatically deleted when a group identity link has been deleted.

newDecisionDefinition

public AuthorizationEntity[] newDecisionDefinition(DecisionDefinition decisionDefinition)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a new decision definition is created.

Specified by:

newDecisionDefinition in interface ResourceAuthorizationProvider

Parameters:

decisionDefinition - the newly created decision definition

Returns:

a list of authorizations to be automatically added when a new DecisionDefinition is created.

newDecisionRequirementsDefinition

public AuthorizationEntity[] newDecisionRequirementsDefinition(DecisionRequirementsDefinition decisionRequirementsDefinition)

Description copied from interface: ResourceAuthorizationProvider

Invoked whenever a new decision requirements definition is created.

Specified by:

newDecisionRequirementsDefinition in interface ResourceAuthorizationProvider

Parameters:

decisionRequirementsDefinition - the newly created decision requirements definition

Returns:

a list of authorizations to be automatically added when a new DecisionRequirementsDefinition is created.

createOrUpdateAuthorizationsByGroupId

protected AuthorizationEntity[] createOrUpdateAuthorizationsByGroupId(Task task,
 String groupId)

createOrUpdateAuthorizationsByUserId

protected AuthorizationEntity[] createOrUpdateAuthorizationsByUserId(Task task,
 String userId)

createOrUpdateAuthorizations

protected AuthorizationEntity[] createOrUpdateAuthorizations(Task task,
 String groupId,
 String userId)

(1) Fetch existing runtime & history authorizations (2) Update authorizations: (2a) fetched authorization == null -> create a new runtime authorization (with READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled) -> create a new history authorization (with READ on HISTORIC_TASK) (2b) fetched authorization != null -> Add READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled UPDATE or TASK_WORK permission is configurable in camunda.cfg.xml and by default, UPDATE permission is provided -> Add READ on HISTORIC_TASK

createOrUpdateAuthorization

protected AuthorizationEntity createOrUpdateAuthorization(Task task,
 String userId,
 String groupId,
 Resource resource,
 boolean isHistoric,
 Permission... permissions)

provideRemovalTime

protected void provideRemovalTime(AuthorizationEntity authorization,
 Task task)

getRootProcessInstanceId

protected String getRootProcessInstanceId(Task task)

isHistoryRemovalTimeStrategyStart

protected boolean isHistoryRemovalTimeStrategyStart()

getHistoryRemovalTimeStrategy

protected String getHistoryRemovalTimeStrategy()

findHistoricProcessInstance

protected HistoryEvent findHistoricProcessInstance(String rootProcessInstanceId)

getHistoricPermissions

protected Permission[] getHistoricPermissions(boolean enforceSpecificVariablePermission)

getRuntimePermissions

protected Permission[] getRuntimePermissions(boolean enforceSpecificVariablePermission)

isHistoricInstancePermissionsEnabled

protected boolean isHistoricInstancePermissionsEnabled()

getAuthorizationManager

protected AuthorizationManager getAuthorizationManager()

getGrantAuthorization

protected AuthorizationEntity getGrantAuthorization(String taskId,
 String userId,
 String groupId,
 Resource resource)

getGrantAuthorizationByUserId

protected AuthorizationEntity getGrantAuthorizationByUserId(String userId,
 Resource resource,
 String resourceId)

getGrantAuthorizationByGroupId

protected AuthorizationEntity getGrantAuthorizationByGroupId(String groupId,
 Resource resource,
 String resourceId)

createAuthorization

protected AuthorizationEntity createAuthorization(String userId,
 String groupId,
 Resource resource,
 String resourceId,
 Permission... permissions)

addPermissions

protected void addPermissions(AuthorizationEntity authorization,
 Permission... permissions)

createGrantAuthorization

protected AuthorizationEntity createGrantAuthorization(String userId,
 String groupId,
 Resource resource,
 String resourceId,
 Permission... permissions)

getDefaultUserPermissionForTask

protected Permission getDefaultUserPermissionForTask()

isEnforceSpecificVariablePermission

protected boolean isEnforceSpecificVariablePermission()

updateAuthorizationBasedOnCacheEntries

protected void updateAuthorizationBasedOnCacheEntries(AuthorizationEntity authorization,
 String userId,
 String groupId,
 Resource resource,
 String resourceId)

Searches through the cache, if there is already an authorization with same rights. If that's the case update the given authorization with the permissions and remove the old one from the cache.

hasEntitySameAuthorizationRights

protected boolean hasEntitySameAuthorizationRights(AuthorizationEntity authEntity,
 String userId,
 String groupId,
 Resource resource,
 String resourceId)

areIdsEqual

protected boolean areIdsEqual(String firstId,
 String secondId)