Starting from Flowable V6, identity management (IDM) components have been extracted from the process engine module, and logic has been moved to several separate modules: Flowable IDM API, Flowable IDM engine, Flowable IDM spring and Flowable IDM engine configuration. The main reason for separating IDM logic is that it is not the core of the Flowable engine. In many cases, when the Flowable engine is embedded in an application, it does not use or need to identify logic.
By default, when the Flowable engine starts, the IDM engine will be initialized and started. This results in the same identity logic being executed and used in Flowable v5. IDM engine manages its own database schema and the following entities:
- User and user entity, user information.
- Groups and group entities, group information.
- MembershipEntity, membership of grouped users.
- Privilege and PrivilegeEntity, a privilege definition (for example, used to control access to UI applications, such as Flowable Modeler and Flowable Task applications).
- Privilege mappingentity, which links users and / or groups to privileges.
- Token and TokenEntity, the authentication token used by the UI application.
Since DB contains historical entities of past and present instances, you may need to consider querying these tables to minimize access to runtime process instance data, so as to maintain the efficiency of runtime execution.
[[IDM engine configuration]]
1. IDM engine configuration
By default, the Flowable engine uses org.Flowable.engine.impl.cfg.idmineconfigurator. This configurator uses the same data source configuration as the Flowable process engine configuration. Because the identification component is configured in Flowable v5, no additional configuration is required.
When identification logic is not required in Flowable engine, IDM engine can be disabled in process engine configuration.
<bean id="processEngineConfiguration" class="org.flowable.engine.impl.cfg.StandaloneInMemProcessEngineConfiguration"> <property name="disableIdmEngine" value="true" /> ... </bean>
This means that user and group queries cannot be used, and candidate groups in task queries cannot be retrieved for users.
By default, user passwords are saved in plain text in the IDM database table. To ensure that passwords are encoded, you can define a password encoder in the process engine configuration.
<bean id="shaEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/> <bean id="passwordEncoder" class="org.flowable.idm.spring.authentication.SpringEncoder"> <constructor-arg ref="shaEncoder"/> </bean> <bean id="processEngineConfiguration" class="org.flowable.engine.impl.cfg.StandaloneInMemProcessEngineConfiguration"> <property name="passwordEncoder" ref="passwordEncoder" /> ... </bean>
ShaPasswordEncoder is used in this example, but you can also use org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder. Not make
When using Spring, you can also use org.flowable.idm.engine.impl.authentication.ApacheDigester to encode the password.
The default IDM engine configurator can also be overridden to initialize the IDM engine in a customized way. A good example is the implementation of LDAPConfigurator, which rewrites the default IDM engine to use the LDAP server instead of the default IDM database table. The configuration properties of the idmProcessEngineConfigurator process engine can be used to set a custom configurator like LDAPConfigurator.
<bean id="processEngineConfiguration" class="...SomeProcessEngineConfigurationClass">
...
<property name="idmProcessEngineConfigurator">
<bean class="org.flowable.ldap.LDAPConfigurator">
<!-- Server connection params -->
<property name="server" value="ldap://localhost" />
<property name="port" value="33389" />
<property name="user" value="uid=admin, ou=users, o=flowable" />
<property name="password" value="pass" />
<!-- Query params -->
<property name="baseDn" value="o=flowable" />
<property name="queryUserByUserId" value="(&(objectClass=inetOrgPerson)(uid={0}))" />
<property name="queryUserByFullNameLike" value="(&(objectClass=inetOrgPerson)(|({0}=*{1}*)({2}=*{3}*)))" />
<property name="queryGroupsForUser" value="(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))" />
<!-- Attribute config -->
<property name="userIdAttribute" value="uid" />
<property name="userFirstNameAttribute" value="cn" />
<property name="userLastNameAttribute" value="sn" />
<property name="userEmailAttribute" value="mail" />
<property name="groupIdAttribute" value="cn" />
<property name="groupNameAttribute" value="cn" />
</bean>
</property>
</bean>
The above article is from Pangu BPM Research Institute: http://vue.pangubpm.com/
Article translation submission: https://github.com/qiudaoke/flowable-userguide
For more articles, you can focus on WeChat official account:
