Security
Security and Identity Management
Flowable relies on the Spring Security framework to provide authentication and access control capabilities. Spring Security is an open source library that provides connectors and adapters to many security standards such as OAuth, SAML, basic authentication, etc. As with all Spring frameworks, it is designed to be highly customizable and adaptable to many security requirements.
Authentication and Authorization
The out of the box security configuration for Flowable provides a simple configuration that can be extended and adapted according to your needs.
Upon an authentication attempt, the user is loaded through the
FlowablePlatformUserDetailsService
(which is called from DaoAuthenticationProvider
as this class delegates to an instance of the UserDetailsService
) and given that
the user exists, an instance of org.springframework.security.core.userdetails.UserDetails
is created. The UserDetails
object contains the following information:
-
The username and password of the user
-
Granted authorities for the user:
-
Group keys prefixed with
GROUP_
-
Tenant id prefixed with
TENANT_
(only needed for multi-tenant applications) -
User definition key prefixed with
USER_DEFINITION_KEY_
-
Authorities retrieved via the
com.flowable.core.spring.security.UserDefinitionAuthoritiesProvider
-
After the Spring Security filter chain is executed, the Spring Security Context contains the authenticated user information, which is used for access control or other purposes.
Flowable uses the com.flowable.core.spring.security.SecurityUtils
to retrieve
all the needed information for the Flowable Authorization.
SecurityScope
Every action uses com.flowable.core.common.api.security.SecurityScope
to get the
required information.
-
SecurityScope#getUserId()
provides the id of the current user. -
SecurityScope#getTenantId()
provides the tenant id of the current user. -
SecurityScope#getGroupKeys()
provides the group keys of the current user. -
SecurityScope#getUserDefinitionKey()
provides the user definition key of the current user. -
SecurityScope#hasAuthority(String)
provides a way to check if the current user has the given authority.
The SecurityScope
is provided via a bean com.flowable.core.common.api.security.SecurityScopeProvider
.
The default implementation uses the org.springframework.security.core.Authentication
to get access to the relevant information.
-
SecurityScope#getUserId()
retrieved viaAuthentication#getName()
. -
SecurityScope#getTenantId()
the firstGrantedAuthority
that is prefixed withTENANT_
. -
SecurityScope#getGroupKeys()
all grantedGrantedAuthority
(ies) that have theGROUP_
prefix -
SecurityScope#getUserDefinitionKey()
the firstGrantedAuthority
that is prefixed withUSER_DEFINITION_KEY_
-
SecurityScope#hasAuthority(String)
provides a way to check if the current user has the given authority.
For example, if the user has the following GrantedAuthority
(ies)
-
GROUP_user
-
GROUP_admin
-
TENANT_acme
-
access-reports
The current user group keys are user
and admin
,
and the current user tenant id is acme
.