Security Realm
The security
realm
service integrates with the server's underlying authentication and
authorization service and is responsible for resolving the abstract
performer names listed in an activity definition into concrete runtime
security principals. A principal can represent either a group or a
user. Group expansion is performed externally by the workflow engine if
necessary.
Principals
Participant
meta-data are
used to register security principal types and principals and groups are used to register security identities. The
basic security realm
implementation that comes with OBE stores these data in the
configuration
file BasicSecurityRealm.xml; the instances have this format:
<entry key="nmtoken">
<instance xsi:type="obe:principal" name="nmtoken" full-name="string"? email="string"? />
</entry>
<entry key="nmtoken">
<instance xsi:type="obe:group" name="nmtoken" full-name="string"? email="string"?>
<principal>user-id</principal>*
<group>group-id</group>*
</instance>
</entry>
- key
- The key used to locate the principal. Corresponds to a performer name in
the comma-separated string in the
<xpdl:Performer>
element.
- instance
- Contains an actual instance of a security principal. The
xsi:type attribute indicates the runtime class, which will either
implement
java.security.Principal or
java.security.acl.Group.
- name
- The unique principal name.
- full-name
- The principal's full name.
- email
- The principal's email address (assumed to be SMTP).
- principal
- Identifies, by reference to its unique key, another principal which is a member
of this group.
- group
- Identifies, by reference to its unique key, a nested group which is a member
of this group.