Welcome to K2 Underground Sign In | Join | Help

How to implement a Custom Security Provider for K2 blackpearl

 

I recently implemented a Custom Security provider that is used in a production environment. I had a few enquiries surrounding the implementation and thought it would be good to share an example implementation. Attached is a derived version of the provider I created but with a  SQL Server Implementation.

 

PLEASE NOTE: The example source code for this blog can be found by clicking on the "File List" tab on the link below. You have to be logged into K2Underground to access this link!

http://www.k2underground.com/k2/ProjectHome.aspx?ProjectID=59

 

1.       Unzip the example files to a favorite temp location on a K2 BP VPC with all the standard K2 development and runtime artifacts installed

2.       Crack open SQL Server Management Studio and create a new empty database. Call it “EmpSec”. Execute the “SecSQLScript.txt” located in the Security Provider Implementation Folder. Make sure all the Tables, Test Data and Sprocs deploy.

3.       Compile the Security Implementation Project and copy the output “ArnIT.K2SecurityProviderLibrary.Implementations.dll” Assembly to the “C:\Program Files\K2 blackpearl\Host Server\Bin\securityproviders” folder after you stopped K2 Host Server.

4.       Start K2 Host Server and crack open another Query Window in SQL Man Studio. Run the following Script. Make sure K2 Host Server starts up before running the script!:

 

use [HostServer]

declare @id uniqueidentifier, @a_newid uniqueidentifier;

set @a_newid =  newid()

 

select @id = SecurityProviderID from SecurityProviders where ProviderClassName = 'ArnIT.K2SecurityProviderLibrary.Implementations.SqlMembershipProviderProxy'

insert into SecurityLabels values (@a_newid, 'ArnIT Security', @id, null, @id, null, '0')

 

5.       Stop K2 Host Server again and open up the “K2HostServer.config” located in “C:\Program Files\K2 blackpearl\Host Server\Bin”. Delete the < connectionStrings> node and its contents after learning the replacement settings. An example of the unencrypted settings is in the section above the connectionStrings node. By commenting that back, K2 Host Server will consume and encrypt it again upon startup, hence we can safely delete the original encrypted version. The idea is to register the SQL Connectionstring the Security Provider uses.

 

Deleting the Encrypted connectionStrings:

 

 

Recreating the connectionStrings section:  

Add the connectionstring below and start K2 Host Server after saving the file.

 

<add name="ArnITEmpSecurityProvider.Connectionstring" connectionString="Data Source=BLACKPEARL;Database=EmpSec; Integrated Security=True" />

 

 

As mentioned, K2 Host Server will consume your settings and encrypt it. The “green” section should be deleted for production environments.

 

Encrypted connectionStrings section:

 

6.       Restart K2 Host Server. Your provider will be registered after 4. above and you should be good to test it. The easiest way to verify registration completed successfully is to do a user lookup in workspace in any of the permissions sections

 

 

 

 

The next section will test the Security Provider Implementation. An example Expense Claim K2 Process is included in the zip file and needs to be exported to your environment.

 

7.       You need to create the following Roles in workspace. These are used as destinations for the Claims Process:

 

Add the following DYNAMIC K2 Roles

                1. “ArnIT EmpSys Administrator “ (Group "ArnIT Security:Administrator")              [Claim Approval Activity Destination]

                2. “ArnIT EmpSys Clerk” (Group "ArnIT Security:Worker")                                             [Claim Processing Activity Destination]

               

It should look like the below:

 

 

and

 

 

8.       Export the process and assign Start Permissions to all the “ArnIT” Groups. Ensure  you save the permissions.

 

 

You should be good to test the process. I included a test application that basically starts a new instance of the claims process and approves it by actioning the worklist items. You should be able to plug any front end into this and point your UI Security Provider to your Custom Security Provider datastore.

 

9.       Start the process and inspect the Worklist and Process Instance

 

 

 

 

 

 

 

 

10.   Finish the Worklist items for the “Claim Approval” Activity and inspect the Worklist and Process Instance

 

 

 

 

 

 

11.   Finish off the “Claim Processing” tasks by adding a “WL Item” finish code section for Paul.

 

 

This example is tested and works on K2 Sp1 with KB234. Dynamic Roles also works fine. The Filter Criteria for the Search is not implemented, but this should not be a too big a job to implement. The password sections should also be encrypted as per normal security patterns.

 

 

Published Thursday, May 01, 2008 10:57 PM by arno

Comments

# List of all things K2 and useful2! &laquo; A Consulting Technologist&#8217;s Web [of thoughts]

Tuesday, May 06, 2008 9:06 PM by List of all things K2 and useful2! « A Consulting Technologist’s Web [of thoughts]

PingBack from http://srikantha.wordpress.com/2008/05/07/list-of-all-things-k2-and-useful2/

# re: How to implement a Custom Security Provider for K2 blackpearl

Thursday, September 18, 2008 1:09 AM by henm

hi..

what is the table you insernt in the connection string "LocalSqlServer"? did u added another table beside the EmpSec in the example?

# re: How to implement a Custom Security Provider for K2 blackpearl

Thursday, September 18, 2008 1:16 PM by monishnaware

Hi,

 I am having a similar kind of requirement... What I understand from your example is that I need to implement IHostableSecurityProvider interface which is within namespace SourceCode.Hosting.Server.Interfaces (SourceCode.HostServerInterfaces.dll). However, I am not able to locate this assembly (SourceCode.HostServerInterfaces.dll) in my blackperl installation "C:\Program Files\K2 blackpearl\Bin".

 Is this dll a part of K2 installation? Or is this custom assembly written by you?

Thanks,

Monish.

# re: How to implement a Custom Security Provider for K2 blackpearl

Tuesday, September 23, 2008 4:06 PM by monishnaware

Hi,

    You mentioned that the filter criteria is not implemented. I need to implement the filter search in my implementation. Could you please give me a start on this? I tried to debug your code and noticed that whenever the FindGroups / FindUsers methods are called, the paramters groupname and username are always null even if I specify something in K2 tool. How should I pick up the parameter provided in the search user / groups search option in K2?  

Thanks, Monish.

# re: How to implement a Custom Security Provider for K2 blackpearl

Tuesday, October 21, 2008 7:55 AM by NeilM

There are additional configuration steps required to load this custom provider on a BlackPearl 0807 build:

1) You have to sign the assembly with a keyfile. (This sample project includes a keyfile already, so you need to change the project to sign the assembly with the provided keyfile)

2)You then need to register the new assembly with k2 server by adding a row to the AssemblyRegistration table, with a SQL statement like this – (this statement assumes that you used the keyfile in the project to sign the assembly with, because you need to provide the public key token for the assembly)

use [HostServer]

insert into AssemblyRegistration

VALUES(newid(), 'ArnIT.K2SecurityProviderLibrary.Implementations', 'ea3190030bce3d3a', 1)

3)Finally, you have to tell K2 server to allow for custom assemblies, by editing the K2HostServer.config file on the K2 server (located by default in C:\Program Files\K2 blackpearl\Host Server\Bin\K2HostServer.config):

Change the line:

   <add key="useassemblyregistration" value="false" />

To:

   <add key="useassemblyregistration" value="true" />

Also, there seems to be a small error in the provided sql script in step 4) above that registers the new security provider with k2. You can use this script instead:

use [HostServer]

declare @id uniqueidentifier, @a_newid uniqueidentifier;

set @a_newid =  newid()

insert into SecurityProviders values (@a_newid,'ArnIT.K2SecurityProviderLibrary.Implementations.SqlMembershipProviderProxy')

select @id = SecurityProviderID from SecurityProviders where ProviderClassName = 'ArnIT.K2SecurityProviderLibrary.Implementations.SqlMembershipProviderProxy'

insert into SecurityLabels values (@a_newid, 'ArnIT Security', @id, null, @id, null, '0')

# FEEDBACK: Custom Security Provider for K2 blackpearl

Monday, October 27, 2008 3:18 AM by arno

Below some answers to the comments above

1. what is the table you insernt in the connection string "LocalSqlServer"? did u added another table beside the EmpSec in the example?

This does not get persisted in any SQL table, but gets inserted into the K2HostServer.config flie's <connectionStrings> section.

2. Is "SourceCode.HostServerInterfaces.dll" a custom written assembly

No, this assembly ships with K2 blackpearl. Search for this filename in the K2 [blackpearl] folder in Program Files on a host machine where K2 Server is installed. You should find it there

3. Filtercriteria null

Monish, I am sure this was available when I stuck a breakpoint in my code. Try it again but adding a breakpoint to all the methods to double check the behaviour. I will try this again and post an update

4. 0807 Update

Thanks for the update, Neil. This Provider is indeed only tested for pre-807 versions. I will post an update to this project in due time

# re: How to implement a Custom Security Provider for K2 blackpearl

Friday, October 31, 2008 9:43 AM by Bob

FYI, the 0807 specific configuration settings are also covered in KB 331 (http://kb.k2workflow.com/Articles/KB000331.aspx)

Anonymous comments are disabled