Examples of org.camunda.bpm.engine.authorization.Authorization

Package org.camunda.bpm.engine.authorization

Examples of org.camunda.bpm.engine.authorization.Authorization

org.camunda.bpm.engine.authorization.Authorization
An {@link Authorization} assigns a set of {@link Permission Permissions}to an identity to interact with a given {@link Resource}.

EXAMPLES:
- User 'jonny' is authorized to start new instances of the 'invoice' process
- Group 'marketing' is not authorized to cancel process instances.
- Group 'marketing' is not allowed to use the tasklist application.
- Nobody is allowed to edit process variables in the cockpit application, except the distinct user 'admin'.
Identities

camunda BPM distinguished two types of identities: users and groups. Authorizations can either range over all users (userId = {@link #ANY}), an individual {@link User} or a {@link Group} of users.
Permissions

A {@link Permission} defines the way an identity is allowed to interactwith a certain resource. Examples of permissions are {@link Permissions#CREATE CREATE}, {@link Permissions#READ READ}, {@link Permissions#UPDATE UPDATE}, {@link Permissions#DELETE DELETE}, ... See {@link Permissions} for a set ofbuilt-in permissions.

A single authorization object may assign multiple permissions to a single user and resource:
```
 authorization.addPermission(Permissions.READ); authorization.addPermission(Permissions.WRITE); authorization.addPermission(Permissions.DELETE); 
```
On top of the built-in permissions, camunda BPM allows using custom permission types.

Resources

Resources are the entities the user interacts with. Examples of resources are {@link Resources#GROUP GROUPS}, {@link Resources#USER USERS}, process-definitions, process-instances, tasks ... See {@link Resources} for a setof built-in resource. The camunda BPM framework supports custom resources.

Authorization Type

There are three types of authorizations:
- Global Authorizations ( {@link #AUTH_TYPE_GLOBAL}) range over all users and groups (userId = {@link #ANY}) and are usually used for fixing the "base" permission for a resource.
- Grant Authorizations ( {@link #AUTH_TYPE_GRANT}) range over users and groups and grant a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization revokes.
- Revoke Authorizations ( {@link #AUTH_TYPE_REVOKE}) range over users and groups and revoke a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group the the global authorization grants.
Authorization Precedence

Authorizations may range over all users, an individual user or a group of users or . They may apply to an individual resource instance or all instances of the same type (resourceId = {@link #ANY}). The precedence is as follows:
1. An authorization applying to an individual resource instance preceds over an authorization applying to all instances of the same resource type.
2. An authorization for an individual user preceds over an authorization for a group.
3. A Group authorization preced over a {@link #AUTH_TYPE_GLOBAL GLOBAL} authorization.
4. A Group {@link #AUTH_TYPE_REVOKE REVOKE} authorization preced over a Group{@link #AUTH_TYPE_GRANT GRANT} authorization.
@author Daniel Meyer @since 7.0


    identityService.createMembership("john", "sales");
    identityService.createMembership("mary", "accounting");
    identityService.createMembership("peter", "management");


    Authorization demoAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    demoAuth.setUserId("demo");
    demoAuth.setResource(USER);
    demoAuth.setResourceId("demo");
    demoAuth.addPermission(ALL);
    authorizationService.saveAuthorization(demoAuth);


    Authorization johnAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    johnAuth.setUserId("john");
    johnAuth.setResource(USER);
    johnAuth.setResourceId("john");
    johnAuth.addPermission(ALL);
    authorizationService.saveAuthorization(johnAuth);


    Authorization maryAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    maryAuth.setUserId("mary");
    maryAuth.setResource(USER);
    maryAuth.setResourceId("mary");
    maryAuth.addPermission(ALL);
    authorizationService.saveAuthorization(maryAuth);


    Authorization peterAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    peterAuth.setUserId("peter");
    peterAuth.setResource(USER);
    peterAuth.setResourceId("peter");
    peterAuth.addPermission(ALL);
    authorizationService.saveAuthorization(peterAuth);


    Authorization accAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    accAuth.setGroupId("accounting");
    accAuth.setResource(GROUP);
    accAuth.setResourceId("accounting");
    accAuth.addPermission(READ);
    authorizationService.saveAuthorization(accAuth);


    Authorization salesAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    salesAuth.setGroupId("sales");
    salesAuth.setResource(GROUP);
    salesAuth.setResourceId("sales");
    salesAuth.addPermission(READ);
    authorizationService.saveAuthorization(salesAuth);


    Authorization manAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    manAuth.setGroupId("management");
    manAuth.setResource(GROUP);
    manAuth.setResourceId("management");
    manAuth.addPermission(READ);
    authorizationService.saveAuthorization(manAuth);


    Authorization salesDemoAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    salesDemoAuth.setGroupId("sales");
    salesDemoAuth.setResource(USER);
    salesDemoAuth.setResourceId("demo");
    salesDemoAuth.addPermission(READ);
    authorizationService.saveAuthorization(salesDemoAuth);


    Authorization salesJohnAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    salesJohnAuth.setGroupId("sales");
    salesJohnAuth.setResource(USER);
    salesJohnAuth.setResourceId("john");
    salesJohnAuth.addPermission(READ);
    authorizationService.saveAuthorization(salesJohnAuth);


    Authorization manDemoAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    manDemoAuth.setGroupId("management");
    manDemoAuth.setResource(USER);
    manDemoAuth.setResourceId("demo");
    manDemoAuth.addPermission(READ);
    authorizationService.saveAuthorization(manDemoAuth);


    Authorization manPeterAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    manPeterAuth.setGroupId("management");
    manPeterAuth.setResource(USER);
    manPeterAuth.setResourceId("peter");
    manPeterAuth.addPermission(READ);
    authorizationService.saveAuthorization(manPeterAuth);


    Authorization accDemoAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    accDemoAuth.setGroupId("accounting");
    accDemoAuth.setResource(USER);
    accDemoAuth.setResourceId("demo");
    accDemoAuth.addPermission(READ);
    authorizationService.saveAuthorization(accDemoAuth);


    Authorization accMaryAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    accMaryAuth.setGroupId("accounting");
    accMaryAuth.setResource(USER);
    accMaryAuth.setResourceId("mary");
    accMaryAuth.addPermission(READ);
    authorizationService.saveAuthorization(accMaryAuth);


    List<String> groups = new ArrayList<String>();
    groups.add("management");
    groups.add("accounting");

View Full Code Here


  public void testUserOverrideGlobalRevokeAuthorizationCheck() {
    TestResource resource1 = new TestResource("resource1", 100);


    // create global authorization which revokes all permissions to all users  (on resource1):
    Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    globalGrant.setResource(resource1);
    globalGrant.setResourceId(ANY);
    globalGrant.removePermission(ALL);
    authorizationService.saveAuthorization(globalGrant);


    // add READ for jonny
    Authorization localRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    localRevoke.setUserId("jonny");
    localRevoke.setResource(resource1);
    localRevoke.setResourceId(ANY);
    localRevoke.addPermission(READ);
    authorizationService.saveAuthorization(localRevoke);


    // jonny does not have ALL permissions
    assertFalse(authorizationService.isUserAuthorized("jonny", null, ALL, resource1));
    // jonny can read

View Full Code Here

    cleanupAfterTest();
    super.tearDown();
  }


  public void testGlobalAuthorizationType() {
    Authorization globalAuthorization = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    // I can set userId = null
    globalAuthorization.setUserId(null);
    // I can set userId = ANY
    globalAuthorization.setUserId(ANY);


    try {
      // I cannot set anything else:
      globalAuthorization.setUserId("something");
      fail("exception expected");


    } catch (Exception e) {
      assertTextPresent("Illegal value something for userId for GLOBAL authorization. must be '*'", e.getMessage());


    }


    // I can set groupId = null
    globalAuthorization.setGroupId(null);


    try {
      // I cannot set anything else:
      globalAuthorization.setGroupId("something");
      fail("exception expected");


    } catch (Exception e) {
      assertTextPresent("Cannot use groupId for GLOBAL authorization", e.getMessage());
    }

View Full Code Here

      assertTextPresent("Cannot use groupId for GLOBAL authorization", e.getMessage());
    }
  }


  public void testGrantAuthorizationType() {
    Authorization grantAuthorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    // I can set userId = null
    grantAuthorization.setUserId(null);
    // I can set userId = ANY
    grantAuthorization.setUserId(ANY);
    // I can set anything else:
    grantAuthorization.setUserId("something");
    // I can set groupId = null
    grantAuthorization.setGroupId(null);
    // I can set anything else:
    grantAuthorization.setGroupId("something");
  }

View Full Code Here

    // I can set anything else:
    grantAuthorization.setGroupId("something");
  }


  public void testRevokeAuthorizationType() {
    Authorization revokeAuthorization = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
    // I can set userId = null
    revokeAuthorization.setUserId(null);
    // I can set userId = ANY
    revokeAuthorization.setUserId(ANY);
    // I can set anything else:
    revokeAuthorization.setUserId("something");
    // I can set groupId = null
    revokeAuthorization.setGroupId(null);
    // I can set anything else:
    revokeAuthorization.setGroupId("something");
  }

View Full Code Here


    // initially, no authorization exists:
    assertEquals(0, authorizationService.createAuthorizationQuery().count());


    // simple create / delete with userId
    Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    authorization.setUserId("aUserId");
    authorization.setResource(resource1);


    // save the authorization
    authorizationService.saveAuthorization(authorization);
    // authorization exists
    assertEquals(1, authorizationService.createAuthorizationQuery().count());
    // delete the authorization
    authorizationService.deleteAuthorization(authorization.getId());
    // it's gone
    assertEquals(0, authorizationService.createAuthorizationQuery().count());


  }

View Full Code Here


    // initially, no authorization exists:
    assertEquals(0, authorizationService.createAuthorizationQuery().count());


    // simple create / delete with userId
    Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    authorization.setGroupId("aGroupId");
    authorization.setResource(resource1);


    // save the authorization
    authorizationService.saveAuthorization(authorization);
    // authorization exists
    assertEquals(1, authorizationService.createAuthorizationQuery().count());
    // delete the authorization
    authorizationService.deleteAuthorization(authorization.getId());
    // it's gone
    assertEquals(0, authorizationService.createAuthorizationQuery().count());


  }

View Full Code Here


    TestResource resource1 = new TestResource("resource1",100);


    // case 1: no user id & no group id ////////////


    Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    authorization.setResource(resource1);


    try {
      authorizationService.saveAuthorization(authorization);
      fail("exception expected");
    } catch(ProcessEngineException e) {
      assertTrue(e.getMessage().contains("Authorization must either have a 'userId' or a 'groupId'."));
    }


    // case 2: both user id & group id ////////////


    authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    authorization.setGroupId("someId");
    authorization.setUserId("someOtherId");
    authorization.setResource(resource1);


    try {
      authorizationService.saveAuthorization(authorization);
      fail("exception expected");
    } catch(ProcessEngineException e) {
      assertTextPresent("Authorization must either have a 'userId' or a 'groupId'.", e.getMessage());
    }


    // case 3: no resourceType ////////////


    authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    authorization.setUserId("someId");


    try {
      authorizationService.saveAuthorization(authorization);
      fail("exception expected");
    } catch(ProcessEngineException e) {
      assertTrue(e.getMessage().contains("Authorization 'resourceType' cannot be null."));
    }


    // case 4: no permissions /////////////////


    authorization = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
    authorization.setUserId("someId");


    try {
      authorizationService.saveAuthorization(authorization);
      fail("exception expected");
    } catch(ProcessEngineException e) {

View Full Code Here


  public void testUniqueUserConstraints() {


    TestResource resource1 = new TestResource("resource1",100);


    Authorization authorization1 = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    Authorization authorization2 = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);


    authorization1.setResource(resource1);
    authorization1.setResourceId("someId");
    authorization1.setUserId("someUser");


    authorization2.setResource(resource1);
    authorization2.setResourceId("someId");
    authorization2.setUserId("someUser");


    // the first one can be saved
    authorizationService.saveAuthorization(authorization1);


    // the second one cannot
    try {
      authorizationService.saveAuthorization(authorization2);
      fail("exception expected");
    } catch(ProcessEngineException e) {
      //expected
    }


    // but I can add a AUTH_TYPE_REVOKE auth


    Authorization authorization3 = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);


    authorization3.setResource(resource1);
    authorization3.setResourceId("someId");
    authorization3.setUserId("someUser");


    authorizationService.saveAuthorization(authorization3);


    // but not a second


    Authorization authorization4 = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);


    authorization4.setResource(resource1);
    authorization4.setResourceId("someId");
    authorization4.setUserId("someUser");


    try {
      authorizationService.saveAuthorization(authorization4);
      fail("exception expected");
    } catch(Exception e) {

View Full Code Here


  public void testUniqueGroupConstraints() {


    TestResource resource1 = new TestResource("resource1",100);


    Authorization authorization1 = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    Authorization authorization2 = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);


    authorization1.setResource(resource1);
    authorization1.setResourceId("someId");
    authorization1.setGroupId("someGroup");


    authorization2.setResource(resource1);
    authorization2.setResourceId("someId");
    authorization2.setGroupId("someGroup");


    // the first one can be saved
    authorizationService.saveAuthorization(authorization1);


    // the second one cannot
    try {
      authorizationService.saveAuthorization(authorization2);
      fail("exception expected");
    } catch(Exception e) {
      //expected
    }


    // but I can add a AUTH_TYPE_REVOKE auth


    Authorization authorization3 = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);


    authorization3.setResource(resource1);
    authorization3.setResourceId("someId");
    authorization3.setGroupId("someGroup");


    authorizationService.saveAuthorization(authorization3);


    // but not a second


    Authorization authorization4 = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);


    authorization4.setResource(resource1);
    authorization4.setResourceId("someId");
    authorization4.setGroupId("someGroup");


    try {
      authorizationService.saveAuthorization(authorization4);
      fail("exception expected");
    } catch(Exception e) {

View Full Code Here

0 1 2 3 4 5 6 7

TOP

Related Classes of org.camunda.bpm.engine.authorization.Authorization

org.camunda.bpm.engine.rest.AbstractAuthorizationRestServiceInteractionTest

org.camunda.bpm.engine.rest.AbstractAuthorizationRestServiceQueryTest

org.camunda.bpm.engine.rest.helper.MockProvider

org.camunda.bpm.engine.rest.impl.AuthorizationRestServiceImpl

org.camunda.bpm.engine.rest.sub.authorization.impl.AuthorizationResourceImpl

org.camunda.bpm.engine.test.api.filter.FilterAuthorizationsTest

org.camunda.bpm.engine.test.api.identity.AuthorizationQueryTest

org.camunda.bpm.engine.test.api.identity.AuthorizationServiceAuthorizationsTest

org.camunda.bpm.engine.test.api.identity.AuthorizationServiceTest

org.camunda.bpm.engine.test.api.identity.DefaultAuthorizationProviderTest

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.

Examples of org.camunda.bpm.engine.authorization.Authorization

Identities

Permissions

Resources

Authorization Type

Authorization Precedence

Related Classes of org.camunda.bpm.engine.authorization.Authorization