[jbpm-dev] jBPM5 Request for Comments - feedback
Alejandro Guizar
aguizar at redhat.com
Mon Apr 19 14:17:41 EDT 2010
El sáb, 17-04-2010 a las 09:40 -0400, Mauricio Salatino escribió:
> All the authorization part in my opinion should be left outside of the
> framework scope. Because it always depends on business needs.
> The way that it's handled in Drools Flow and in jBPM 3.2.x it's a good
> approach.
jBPM 3 does not "handle" the requirement It just ignores it. There is
even an "AuthorizationService" there, which never got implemented, yet
the idea was to have a permission-based scheme similar to the Java
platform's. Indeed, security should be configurable to business needs,
where the default is "allow all" in the absence of a security policy.
That does not mean the BPM engine cannot do anything but sidestep the
problem.
I was sufficiently impressed with the security extension to jBPM 4
presented in the InfoQ article below to push forward security (actually,
just authorization; authentication would still be delegated to the
application) as a feature of jBPM 5.
http://www.infoq.com/articles/authorizing_process_access
-Alejandro
More information about the jbpm-dev
mailing list