目录
snowy开源版本拉取:
springboot与camunda版本对比:
camunda7.15版本相关依赖,引入snowy-main中的pom文件:
snowy父pom将spring-boot-starter-parent版本进行(选择性)修改为2.4.3
yaml camunda的账户配置(选择性)
SnowyApplication启动类进行修改,添加camunda注解@EnableProcessApplication
将camunda接口相关权限放开SpringSecurityConstant:
启动后端,访问地址:http://localhost:82/camunda/app/welcome/default/#!/login
接管小诺放行的请求,开启camunda的请求拦截(鉴权):
sso自动登录
sso前后端密文传输
自动登录测试
对camunda的鉴权进行自定义(选择性使用)
放行camunda请求的,请求头校验
camunda鉴权开启效果
camunda web页面开启汉化
嵌入式表单位置:/resources/static/forms
snowy开源版本拉取:
springboot与camunda版本对比:
camunda7.15版本相关依赖,引入snowy-main中的pom文件:
<!--camunda的依赖包start-->
<dependency>
<groupId>org.camunda.bpm.springboot</groupId>
<artifactId>camunda-bpm-spring-boot-starter-rest</artifactId>
<version>7.15.0</version>
</dependency>
<dependency>
<groupId>org.camunda.bpm.springboot</groupId>
<artifactId>camunda-bpm-spring-boot-starter-webapp</artifactId>
<version>7.15.0</version>
</dependency>
<dependency>
<groupId>org.camunda.bpm</groupId>
<artifactId>camunda-engine-plugin-spin</artifactId>
<version>7.15.0</version>
</dependency>
<dependency>
<groupId>org.camunda.spin</groupId>
<artifactId>camunda-spin-dataformat-all</artifactId>
<version>1.11.0</version>
</dependency>
<!--camunda的依赖包end-->
snowy父pom将spring-boot-starter-parent版本进行(选择性)修改为2.4.3
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<!-- <version>2.3.1.RELEASE</version>-->
<version>2.4.3</version>
</parent>
yaml camunda的账户配置(选择性)
如果不进行配置,那么在你登录的camunda官方提供的web页面时,camunda也会要求你初始化一个超级管理员的账户
camunda.bpm.admin-user:
id: superAdmin
password: 123456
SnowyApplication启动类进行修改,添加camunda注解@EnableProcessApplication
// 防止过滤器创建报空指针异常(2-1)(springSecurityConstant需要放开路径:"/camunda/api/engine")
@EnableProcessApplication
@SpringBootApplication
public class SnowyApplication {……}
将camunda接口相关权限放开SpringSecurityConstant:
public interface SpringSecurityConstant {
/**
* 放开权限校验的接口
*/
String[] NONE_SECURITY_URL_PATTERNS = {
……
// modeler 流程部署接口
"/engine-rest/**",
// modeler 表单部署
"/forms/**",
// camunda工作流(web)
"/camunda/**",
// 防止过滤器创建报空指针异常(2-2)(启动类需要启用:@EnableProcessApplication)
"/camunda/api/engine"
};
}
启动后端,访问地址:http://localhost:82/camunda/app/welcome/default/#!/login
接管小诺放行的请求,开启camunda的请求拦截(鉴权):
package vip.xiaonuo.camunda.common.auth.filter;
import org.camunda.bpm.engine.rest.security.auth.ProcessEngineAuthenticationFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
/**
* 开启鉴权后,camunda的web请求(包含流程设计器),会在请求头中携带以Basic开头的authorization请求头,
* 此时要确保自己的系统不会拦截以Basic开头的请求头
*
* @author 每天一点
*/
@Configuration
public class CamundaSecurityFilter {
@Bean
public FilterRegistrationBean<ProcessEngineAuthenticationFilter> processEngineAuthenticationFilter() {
FilterRegistrationBean<ProcessEngineAuthenticationFilter> registration = new FilterRegistrationBean<>(new ProcessEngineAuthenticationFilter());
// registration.setName("camunda-auth-api");
// registration.setFilter(new ProcessEngineAuthenticationFilter());
// camunda官方提供的鉴权(推荐)
registration.addInitParameter("authentication-provider",
"org.camunda.bpm.engine.rest.security.auth.impl.HttpBasicAuthenticationProvider");
// 根据camunda官方提供的鉴权进行改写(如果自己的系统不需要访问官方的接口,那么推荐使用camunda的鉴权)
// processEngineAuthenticationFilterRegistrationBean.addInitParameter("authentication-provider",
// "vip.xiaonuo.camunda.common.auth.provider.CamundaAuthenticationProvider");
registration.addUrlPatterns("/engine-rest/*");
registration.setOrder(2);
return registration;
}
}
sso自动登录
package vip.xiaonuo.camunda.common.auth.config;
import org.camunda.bpm.engine.rest.security.auth.ProcessEngineAuthenticationFilter;
import org.camunda.bpm.engine.rest.security.auth.impl.HttpBasicAuthenticationProvider;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import vip.xiaonuo.camunda.common.auth.filter.AutoLoginAuthenticationFilter;
/**
* 开启鉴权后,camunda的web请求(包含流程设计器),会在请求头中携带以Basic开头的authorization请求头,
* 此时要确保自己的系统不会拦截以Basic开头的请求头
*
* @author 每天一点
*/
@Configuration
public class CamundaSecurityConfig {
// ContainerBasedAuthenticationFilter、ContainerBasedAuthenticationProvider
@Bean
public FilterRegistrationBean<AutoLoginAuthenticationFilter> containerBasedAuthenticationFilter() {
FilterRegistrationBean<AutoLoginAuthenticationFilter> registration = new FilterRegistrationBean<>();
registration.setName("camunda-auth-web");
registration.setFilter(new AutoLoginAuthenticationFilter());
registration.addUrlPatterns("/camunda/app/*" , "/camunda/api/*");
registration.setOrder(1);
return registration;
}
@Bean
public FilterRegistrationBean<ProcessEngineAuthenticationFilter> processEngineAuthenticationFilter() {
……………………
}
}
package vip.xiaonuo.camunda.common.auth.filter;
import static org.camunda.bpm.engine.authorization.Permissions.ACCESS;
import static org.camunda.bpm.engine.authorization.Resources.APPLICATION;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.camunda.bpm.BpmPlatform;
import org.camunda.bpm.engine.AuthorizationService;
import org.camunda.bpm.engine.ProcessEngine;
import org.camunda.bpm.engine.identity.Group;
import org.camunda.bpm.engine.identity.Tenant;
import org.camunda.bpm.webapp.impl.security.SecurityActions;
import org.camunda.bpm.webapp.impl.security.SecurityActions.SecurityAction;
import org.camunda.bpm.webapp.impl.security.auth.Authentication;
import org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter;
import org.camunda.bpm.webapp.impl.security.auth.Authentications;
import org.camunda.bpm.webapp.impl.security.auth.UserAuthentication;
/**
* Replaces {@link AuthenticationFilter} by an extension which can auto-logon a
* user by given username as URL parameter, e.g.
*
* http://localhost:82/camunda/?auto-login-username=admin
*
* 任务列表
* http://localhost:82/camunda/app/tasklist/?auto-login-username=admin
* cockpit
* http://localhost:82/camunda/app/cockpit/?auto-login-username=admin
* tasklist
* http://localhost:82/camunda/app/tasklist/?auto-login-username=admin
*
* Of course this IS A SECURITY ISSUE! It is only meant to be used in test
* environments
*
* @author 每天一点
*/
public class AutoLoginAuthenticationFilter implements Filter {
private static final String[] APPS = new String[] { "cockpit", "tasklist", "admin", "welcome" };
@Override
public void init(FilterConfig arg0) throws ServletException {
}
@Override
public void destroy() {
}
@Override
public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException {
final HttpServletRequest req = (HttpServletRequest) request;
// get authentication from session
Authentications authentications = Authentications.getFromSession(req.getSession());
// This function is added to the normal AuthenticationFilter
setAutoLoginAuthentication(request, authentications);
// set current authentication to the one restored from session (maybe
// auto login was added)
Authentications.setCurrent(authentications);
try {
SecurityActions.runWithAuthentications(new SecurityAction<Void>() {
@Override
public Void execute() {
try {
chain.doFilter(request, response);
} catch (Exception e) {
throw new RuntimeException(e);
}
return null;
}
}, authentications);
} finally {
Authentications.clearCurrent();
// store updated authentication object in session for next request
Authentications.updateSession(req.getSession(), authentications);
}
}
/**
* Reads the auto-login-username from the URL parameters and create an
* {@link Authentication} for it containing its groups, tenants and
* authorized apps.
*
* No password check is done here, so you can log onto every user without a
* password. Only makes sense in demo environments!
*/
protected void setAutoLoginAuthentication(final ServletRequest request, Authentications authentications) {
final HttpServletRequest req = (HttpServletRequest) request;
final ProcessEngine engine = getEngine();
// Get the username from the user in SSO
String username = retrieveUsername(req);
// if not set - no auto login
if (username == null) {
return;
}
// if already in the list of logged in users - nothing to do
Authentication authentication = authentications.getAuthenticationForProcessEngine(engine.getName());
if (authentication != null && authentication.getName() == username) {
return;
}
AuthorizationService authorizationService = engine.getAuthorizationService();
// query group information
List<String> groupIds = getGroupsOfUser(engine, username);
List<String> tenantIds = getTenantsOfUser(engine, username);
// check user's app authorizations by iterating of list of apps and ask
// if permitted
HashSet<String> authorizedApps = new HashSet<String>();
authorizedApps.add("admin");
if (engine.getProcessEngineConfiguration().isAuthorizationEnabled()) {
for (String application : APPS) {
if (authorizationService.isUserAuthorized(username, groupIds, ACCESS, APPLICATION, application)) {
authorizedApps.add(application);
}
}
} else {
Collections.addAll(authorizedApps, APPS);
}
// create new authentication object to store authentication
UserAuthentication newAuthentication = new UserAuthentication(username, engine.getName());
newAuthentication.setGroupIds(groupIds);
newAuthentication.setTenantIds(tenantIds);
newAuthentication.setAuthorizedApps(authorizedApps);
// and add the new logged in user
authentications.addAuthentication(newAuthentication);
}
/**
* Get the username - this is different based on the SSO technology used,
* see e.g.
* https://github.com/camunda/camunda-sso-jboss/blob/master/camunda-bpm-
* build-webapp/src/main/java/de/novatec/bpm/webapp/impl/security/auth/
* AuthenticationFilter.java#L57 for an implementation using Kerberos on
* JBoss AS 7
*/
protected String retrieveUsername(final HttpServletRequest req) {
// Simply read it from a URL parameter in this case
return req.getParameter("auto-login-username");
}
/**
* copied from
* org.camunda.bpm.webapp.impl.security.auth.UserAuthenticationResource
*/
protected List<String> getGroupsOfUser(ProcessEngine engine, String userId) {
List<Group> groups = engine.getIdentityService().createGroupQuery().groupMember(userId).list();
List<String> groupIds = new ArrayList<String>();
for (Group group : groups) {
groupIds.add(group.getId());
}
return groupIds;
}
protected List<String> getTenantsOfUser(ProcessEngine engine, String userId) {
List<Tenant> tenants = engine.getIdentityService().createTenantQuery().userMember(userId).includingGroupsOfUser(true).list();
List<String> tenantIds = new ArrayList<String>();
for (Tenant tenant : tenants) {
tenantIds.add(tenant.getId());
}
return tenantIds;
}
private ProcessEngine getEngine() {
// TODO: Only works in single engine environment!
return BpmPlatform.getDefaultProcessEngine();
}
}
sso前后端密文传输
base64加密(时间戳+';'+用户名)
- 后端解密:修改retrieveUsername方法
protected String retrieveUsername(final HttpServletRequest req) {
// Simply read it from a URL parameter in this case
String parameter = req.getParameter("auto-login-username");
if(ObjectUtil.isEmpty(parameter)){
return null;
}
String decodedCredentials = new String(Base64.decodeBase64(parameter));
int firstColonIndex = decodedCredentials.indexOf(":");
if (firstColonIndex == -1) {
return null;
}else {
String timeStamp = decodedCredentials.substring(0, firstColonIndex);
long timeDelta = System.currentTimeMillis() - Long.parseLong(timeStamp);
if(timeDelta < 0 || timeDelta > 100000){
return null;
}
return decodedCredentials.substring(firstColonIndex + 1);
}
}
- 前端加密
<template>
<div>
<a-button type="primary" @click="welcomeClick">
welcome
</a-button>
<!-- <iframe id="iframe" height="580px" :src="srcUrl" style="width:100%;overflow:hidden;" frameBorder="0">-->
<!-- </iframe>-->
</div>
</template>
<script>
const Base64 = require('js-base64').Base64
export default {
name: 'Index',
data() {
return {
srcUrl: ''
}
},
mounted() {
// this.srcUrl = process.env.VUE_APP_API_BASE_URL + '/camunda/app/welcome/?auto-login-username=admin'
},
methods: {
welcomeClick() {
const param = Base64.encode((new Date().getTime() + ':admin'))
window.open(process.env.VUE_APP_API_BASE_URL + '/camunda/app/welcome/?auto-login-username=' + param, '_blank')
}
}
}
</script>
<style scoped>
</style>
自动登录测试
http://localhost:82/camunda/app/welcome/?auto-login-username=admin
对camunda的鉴权进行自定义(选择性使用)
如果自己的系统要直接访问camunda官方提供的接口,那么就需要对camunda的鉴权进行自定义,可参考以下内容:
package vip.xiaonuo.camunda.common.auth.provider;
import org.camunda.bpm.engine.ProcessEngine;
import org.camunda.bpm.engine.identity.User;
import org.camunda.bpm.engine.impl.digest._apacheCommonsCodec.Base64;
import org.camunda.bpm.engine.rest.security.auth.AuthenticationProvider;
import org.camunda.bpm.engine.rest.security.auth.AuthenticationResult;
import org.springframework.util.StringUtils;
import vip.xiaonuo.core.context.login.LoginContextHolder;
import vip.xiaonuo.core.pojo.login.SysLoginUser;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.HttpHeaders;
/**
* 如果想在自己的系统中访问camunda官方提供的接口,那么就需要对鉴权部分进行重写
* @author 每天一点
*/
public class CamundaAuthenticationProvider implements AuthenticationProvider {
protected static final String BASIC_AUTH_HEADER_PREFIX = "Basic ";
protected static final String TOKEN_TYPE_BEARER = "Bearer";
@Override
public AuthenticationResult extractAuthenticatedUser(HttpServletRequest request, ProcessEngine engine) {
String authorizationHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
if (authorizationHeader != null) {
if(authorizationHeader.startsWith(BASIC_AUTH_HEADER_PREFIX)){
String encodedCredentials = authorizationHeader.substring(BASIC_AUTH_HEADER_PREFIX.length());
String decodedCredentials = new String(Base64.decodeBase64(encodedCredentials));
int firstColonIndex = decodedCredentials.indexOf(":");
if (firstColonIndex != -1) {
String userName = decodedCredentials.substring(0, firstColonIndex);
String password = decodedCredentials.substring(firstColonIndex + 1);
if (isAuthenticated(engine, userName, password)) {
return AuthenticationResult.successful(userName);
}
}
}
if(authorizationHeader.startsWith(TOKEN_TYPE_BEARER)){
SysLoginUser sysLoginUser = LoginContextHolder.me().getSysLoginUser();
// AuthService authService = SpringUtil.getBean(AuthService.class);
User user = engine.getIdentityService().createUserQuery().userId(sysLoginUser.getAccount()).singleResult();
if(!StringUtils.isEmpty(user)){
return AuthenticationResult.successful(user.getId());
}
}
}
return AuthenticationResult.unsuccessful();
}
protected boolean isAuthenticated(ProcessEngine engine, String userName, String password) {
return engine.getIdentityService().checkPassword(userName, password);
}
@Override
public void augmentResponseByAuthenticationChallenge(
HttpServletResponse response, ProcessEngine engine) {
response.setHeader(HttpHeaders.WWW_AUTHENTICATE, BASIC_AUTH_HEADER_PREFIX + "realm=\"" + engine.getName() + "\"");
}
}
放行camunda请求的,请求头校验
camunda开启鉴权后,官方的web请求会在请求头中携带authorization且以Basic作为开头,目前很多国内的系统,在鉴权的过程中,大部分都是先判断请求头中的是否含有authorization,如果有那么就判断是头是以Bearer作为开头,如果不是的话,那么就认为该请求头不符合规范,返回给前端;所以要想camunda的接口能够正常使用,那么就需要对框架中的这部分逻辑进行改进,以小诺框架为例,可参考以下内容:
注意这是一个坑:camunda的流程设计器,在鉴权未开启时,请求头中的authorization也会携带内容传递给后端,此时携带的内容为“undefined”字符串,针对这种情况,后端在针对这种情况时,也要进行放行
@Override
public String getTokenFromRequest(HttpServletRequest request) {
String authToken = request.getHeader(CommonConstant.AUTHORIZATION);
// 放行camunda以Basic开头的请求头
if (ObjectUtil.isEmpty(authToken) || CommonConstant.UNDEFINED.equals(authToken)||authToken.startsWith(CommonConstant.TOKEN_TYPE_BASIC)) {
return null;
} else {
//token不是以Bearer打头,则响应回格式不正确
if (!authToken.startsWith(CommonConstant.TOKEN_TYPE_BEARER)) {
throw new AuthException(AuthExceptionEnum.NOT_VALID_TOKEN_TYPE);
}
try {
authToken = authToken.substring(CommonConstant.TOKEN_TYPE_BEARER.length() + 1);
} catch (StringIndexOutOfBoundsException e) {
throw new AuthException(AuthExceptionEnum.NOT_VALID_TOKEN_TYPE);
}
}
return authToken;
}
camunda鉴权开启效果
- 流程设计器发生的变化:
Download The Camunda BPMN / DMN Process Modeler | CamundaA free and easy-to-use desktop app for editing BPMN Process Diagrams, DMN Decision Tables, and Forms. Camunda Modeler supports BPMN 2.0 and DMN 1.3.https://camunda.com/download/modeler/部署请求地址:http://localhost:82/engine-rest
- camunda官方web发生的变化:
此时再访问后端的接口在未登录的情况下访问:http://localhost:82/camunda/api/engine/engine/default/task/43483a51-2524-11ec-9fe5-861b7790c7c0
会出现如下效果:
camunda web页面开启汉化
.目录结构如下:
除了cockpit,admin和task,都汉化过了,注意:汉化区分版本7.14版本的汉化过程与7.15版本是有区别的,这是7.15版本的汉化过程。
效果如下: