package com.activiti.extension.bean;
import org.activiti.engine.impl.pvm.delegate.ActivityExecution;
import org.springframework.stereotype.Component;
@Component("helloWorldBean")
public class HelloWorldBean {
public void sayHello(ActivityExecution execution) {
System.out.println("Hello from " + this);
execution.setVariable("var3", " from the bean");
}
}
Build a jar with this class, and add it to the classpath. To use this bean in a service task, set the expression property to ${helloWorldBean.sayHello(execution)}.
It is possible to define custom configuration classes (using the Spring Java Config approach) if this is needed (for example when sharing dependencies between delegate beans, complex bean setup, etc.). The application automatically scans for configuration classes in the package com.activiti.extension.conf; package. For example:
package com.activiti.extension.conf;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class CustomConfiguration {
@Bean
public SomeBean someBean() {
return new SomeBean();
}
}
Which can be injected in the bean that will be called in a service task:
package com.activiti.extension.bean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import com.activiti.extension.conf.SomeBean;
@Component("helloWorldBeanWithInjection")
public class HelloWorldBeanWithInjection {
@Autowired
private SomeBean someBean;
public void sayHello() {
System.out.println(someBean.getValue());
}
}
To get the current user, it is possible to use the com.activiti.common.security.SecurityUtils helper class.
Bean Whitelisting
By default, you can specify any Spring bean for use in an expression. While this provides ease of use (since any beans you develop will be automatically scanned for as described above), it also increases the possibilities of misuse and security threats. To help prevent these issues from happening, you can whitelist Spring beans by making the following changes:
- Open the <InstallLocation>/tomcat/lib/activiti-app.properties file.
- Locate and set beans.whitelisting.enabled to
true.
beans.whitelisting.enabled=true
Note: If this property is missing from the activiti-app.properties file, beans whitelisting is disabled.
activiti-app/WEB-INF/classes/activiti/beans-whitelist.conf
Example usage of bean whitelisting:
${execution.setVariable('userCount', userService.getUserCount())}
If beans.whitelisting.enabled is set to false or the property is missing, the process is completed and the Display Text field should show the value of the usercount variable.
To complete the process successfully using bean whitelisting, you must set beans.whitelisting.enabled to true and add the bean name to beans-whitelist.conf:
# list bean names that should be whitelisted userService
- repositoryService
- formRepository
- objectMapper
- relatedContentService
- relatedContentProcessor
- historyService
- SkyVaultMetadataProcessor
This provides an alternative to bean whitelisting that enables more fine-grained control over what a developer can execute. For example, you can configure which patterns you allow to be executed using expressions.
You can also whitelist full class names or package patterns such as 'com.activiti.*'.
To whitelist service task classes, do the following:
- Open the <InstallLocation>/tomcat/lib/activiti-app.properties file.
- Locate and set
service.task.class.whitelisting.enabled
to
true.
service.task.class.whitelisting.enabled=true
Note: If this property is missing from the activiti-app.properties file, service task whitelisting is disabled.Note: To use SkyVault, Box or Google drive to publish tasks with service task whitelisting enabled, add the following entries to activiti-app/WEB-INF/classes/activiti/service-task-whitelist-classes.conf:- com.activiti.runtime.activiti.bean.BoxStepActivityBehavior
- com.activiti.runtime.activiti.bean.GoogleDriveStepActivityBehavior
- com.activiti.runtime.activiti.KickstartAlfrescoPublishDelegate