package com.activiti.extension.bean; import org.activiti.engine.impl.pvm.delegate.ActivityExecution; import org.springframework.stereotype.Component; @Component("helloWorldBean") public class HelloWorldBean { public void sayHello(ActivityExecution execution) { System.out.println("Hello from " + this); execution.setVariable("var3", " from the bean"); } }
Build a jar with this class, and add it to the classpath. To use this bean in a service task, set the expression property to ${helloWorldBean.sayHello(execution)}.
package com.activiti.extension.conf; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @Configuration public class CustomConfiguration { @Bean public SomeBean someBean() { return new SomeBean(); } }
package com.activiti.extension.bean; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import com.activiti.extension.conf.SomeBean; @Component("helloWorldBeanWithInjection") public class HelloWorldBeanWithInjection { @Autowired private SomeBean someBean; public void sayHello() { System.out.println(someBean.getValue()); } }
To get the current user, it is possible to use the com.activiti.common.security.SecurityUtils helper class.
Bean Whitelisting
By default, you can specify any Spring bean for use in an expression. While this provides ease of use (since any beans you develop will be automatically scanned for as described above), it also increases the possibilities of misuse and security threats. To help prevent these issues from happening, you can whitelist Spring beans by making the following changes:
- Open the <InstallLocation>/tomcat/lib/activiti-app.properties file.
- Locate and set
beans.whitelisting.enabled to
true.
beans.whitelisting.enabled=true
Note: If this property is missing from the activiti-app.properties file, beans whitelisting is disabled. - To whitelist Spring beans, use the following configuration
setting:
activiti-app/WEB-INF/classes/activiti/beans-whitelist.conf
Example usage of bean whitelisting:
${execution.setVariable('userCount', userService.getUserCount())}
If beans.whitelisting.enabled is set to false or the property is missing, the process is completed and the Display Text field should show the value of the usercount variable.
To complete the process successfully using bean whitelisting, you must set beans.whitelisting.enabled to true and add the bean name to beans-whitelist.conf:
# list bean names that should be whitelisted userService
- repositoryService
- formRepository
- objectMapper
- relatedContentService
- relatedContentProcessor
- historyService
- alfrescoMetadataProcessor
Service Task Class Whitelisting
This provides an alternative to bean whitelisting that enables more fine-grained control over what a developer can execute. For example, you can configure which patterns you allow to be executed using expressions.
You can also whitelist full class names or package patterns such as 'com.activiti.*'.
To whitelist service task classes, do the following:
- Open the <InstallLocation>/tomcat/lib/activiti-app.properties file.
- Locate and set
service.task.class.whitelisting.enabled
to true.
class.whitelisting.enabled=true
Note: If this property is missing from the activiti-app.properties file, service task whitelisting is disabled. -
This step applies only to users of Alfresco Process Services version 1.6.0 to 1.6.2 inclusive as well as apps
published in these versions. Whitelisting for
publish tasks is exempt from version 1.6.3. To
use Alfresco, Box or Google drive to publish tasks with
service task whitelisting enabled, add the following entries
to
activiti-app/WEB-INF/classes/activiti/whitelisted-classes.conf:
- com.activiti.runtime.activiti.bean.BoxStepActivityBehavior
- com.activiti.runtime.activiti.bean.GoogleDriveStepActivityBehavior
- com.activiti.runtime.activiti.KickstartAlfrescoPublishDelegate
- com.activiti.runtime.activiti.KickstartAlfrescoCloudPublishDelegate
Whitelisting Scripting Languages
#Here you can specify which script types are allowed to be executed javascript js ecmascript groovy juel
Class whitelisting in JavaScript
javascript.secure-scripting.enabled=true
- Open the <InstallLocation>/tomcat/lib/activiti-app.properties file.
- Locate and set
javascript.secure-scripting.enable-class-whitelisting
to
true.
javascript.secure-scripting.enable-class-whitelisting = true
- To allow the execution of JavaScript classes, add them to
activiti-app/WEB-INF/classes/activiti/javascript-whitelist-classes.conf:
java.lang.System java.util.ArrayList org.apache.tomcat.util.log.SystemLogHandler