Prerequisites • Exercise 0 • Exercise 1 • Exercise 1.1 • Exercise 2 • Exercise 3 • Exercise 4 • Exercise 5 • Exercise 6 • Exercise 7
In this exercise you will learn how to control who is allowed to start a process in the DSF. You will configure authorization rules in an ActivityDefinition file and add a Keycloak-based user alongside the existing certificate-based access.
The file you will work in is tutorial-process/src/main/resources/fhir/ActivityDefinition/dic-process.xml.
Background reading (documentation links for this exercise)
A Keycloak instance is already running as part of the dev setup. A user has been created for you in the DIC realm. The Keycloak admin console is accessible at https://keycloak:8443 (username: admin, password: admin). Your task is to allow this user to start the dicProcess. Optionally you can also add Keycloak users for the COS and HRP instances.
-
Change the
requesterelement in the ActivityDefinitiontutorial-process/src/main/resources/fhir/ActivityDefinition/dic-process.xmlto allow all local clients with a practitioner role ofDSF_ADMINto requestdicProcessmessages. There is a documentation page to help you understand the process authorization extension.Need a ready-made example?
There is a list of examples for the
requesterelement here. You can also check out the guide on creating ActivityDefinitions. -
We just made it so you will not be able to start the
dicProcessusing the client certificate used in earlier exercises. Add a second<extension url="requester">entry to the same authorization block indic-process.xmlwhich allows local clients from thedic.dsf.testorganization to requestdicProcessmessages, in case you still want to use the client certificate to start the process.You need the
LOCAL_ORGANIZATIONcode combined with theextension-process-authorization-organizationnested extension pointing todic.dsf.test.Need a ready-made example?
There is a list of examples for the
requesterelement here. You can also check out the guide on creating ActivityDefinitions. -
Just like in exercise 2, we just changed a FHIR resource in a way that breaks compatibility with older versions of the plugin. Therefore, we need to signal this change by incrementing the resource version to
1.2.
Execute a maven build of the dsf-process-tutorial parent module via:
mvn clean install -Pexercise-3
Verify that the build was successful and no test failures occurred.
To verify the exampleorg_dicProcess can be executed successfully, we need to deploy it into a DSF instance and execute the process. The maven install build is configured to create a process jar file with all necessary resources and copy the jar to the appropriate locations of the docker dev setup.
-
Start the DSF FHIR server for the
dic.dsf.testorganization in a console at location.../dsf-process-tutorial/dev-setup:docker compose up dic-fhirVerify the DSF FHIR server started successfully at https://dic/fhir.
-
Start the DSF BPE server for the
dic.dsf.testorganization in second console at location.../dsf-process-tutorial/dev-setup:docker compose up dic-bpeVerify the DSF BPE server started successfully and deployed the
exampleorg_dicProcess. -
Visit https://dic/fhir. First, use the client certificate to log into the DSF FHIR server and make sure you are still able to start a
exampleorg_dicProcessvia the web interface. -
Now try doing it again, but this time use Keycloak to log in. Your username and password are both
tutorial. Also, you might have to clear your browser's SSL state because it keeps using the client certificate from before. Afterward, you can visit https://dic/fhir again but refuse to send a client certificate when asked. This should forward you to the Keycloak login page.
If all went well, you should have been able to start the process via both the client certificate and the Keycloak user.
Prerequisites • Exercise 0 • Exercise 1 • Exercise 1.1 • Exercise 2 • Exercise 3 • Exercise 4 • Exercise 5 • Exercise 6 • Exercise 7