Activiti and Hibernate/tynamo integration

We are using Tapestry as MVC framework in the company and we needed to integrate a sample tapestry based with activiti security tables.

“Apache Shiro” and “Tynamo” are used. “Apache Shiro” is a Java security framework from Aapche. Tynamo  helps in using Shiro in Tapestry. In this post I am going to explain how Activiti security could be used in Tapestry web based applications.



Target is creating a web based application. The related page should be visible only after authentication. For authentication these conditions should be validated:

1. User should exist in “act_id_user” table

2. password should match to the password in the same table.

3. In “act_id_membership” table, user should be associated with “admin” group
Activiti realm:

In Shiro, different realms are foreseen. JDBC, LDAP, Active. So one way is to create a new “Activiti Realm” and configure Shiro to use it, and configure Tapestry to use Shiro.

Creating ActivitiRealm is simple. You have to extend AuthorizingRealm class and implement doGetAuthenticationInfo member and put the authentication logic in it. Something like this:


[code lang=”java”]
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;
String username = usernamePasswordToken.getUsername();
char[] pswrd = usernamePasswordToken.getPassword();
String password = String.copyValueOf(pswrd);

// check if the username and password are correct
IdentityService identityService = processEngine.getIdentityService();
if (!identityService.checkPassword(username, password)) {
throw new IncorrectCredentialsException();

// check if the username ins member of “admin” role
GroupQuery query = identityService.createGroupQuery();
if (query.groupMember(username).groupName(ADMIN_ROLE).count() == 0) {
throw new IncorrectCredentialsException();
return buildAuthenticationInfo(username, password);


Service Injection:

As you may have seen in the above code, processEngine is just used. It is injected by Tapestry Injection framework. It could be injected in Spring configuration file or in build method in AppModule. In this implementation Spring based configuration is used. This code snipplet in application-context.xml file will do the job:

[code lang=”xml”]

Configure Shiro to use Activiti Realm
Now we have the realm and we have to make shiro use our new realm.
This method in will make shiro use the realm:

[code lang=”java”]
public static void addRealms(Configuration configuration, @Autobuild ActivitiRealm activitiRealm) {

Login page
Shiro is configured and can be used for checking security. Now we need a login page. It is possible to use default login page, but here I prefer to have my own login page.
The page is a normal login page, like in any other one. Just in validation, such a code uses Shiro for authentication:

[code lang=”java”]
public Object onActionFromJsecLoginForm()

Subject currentUser = securityService.getSubject();

if (currentUser == null) {
throw new IllegalStateException(“Subject can`t be null”);

UsernamePasswordToken token = new UsernamePasswordToken(jsecLogin, jsecPassword);

try {
} catch (UnknownAccountException e) {
loginMessage = “Account not exists”;
return null;
} catch (IncorrectCredentialsException e) {
loginMessage = “Wrong password”;
return null;
} catch (LockedAccountException e) {
loginMessage = “Account locked”;
return null;
} catch (AuthenticationException e) {
loginMessage = “Authentication Error”;
return null;

SavedRequest savedRequest = WebUtils.getAndClearSavedRequest(requestGlobals.getHTTPServletRequest());

if (savedRequest != null && savedRequest.getMethod().equalsIgnoreCase(“GET”)) {
try {
return null;
} catch (IOException e) {
logger.warn(“Can’t redirect to saved request.”);
return Index.class;
} else {
return Index.class;
Configure Tapestry to use Shiro for security
Ok, everything is there. Now we have to configure Tapestry to use Shiro for security and secure desired pages.
First we have to introduce our login page. Shiro will redirect user to this page, whenever he wants to access to a secured page and he is not logged in. This code in AppModule does this task:

[code lang=”java”]
public static void applicationDefaults(
MappedConfiguration<String, String> configuration) {
// Tynamo’s tapestry-security (Shiro) module configuration
configuration.add(SecuritySymbols.LOGIN_URL, “/login”);

and the last thing is to let Shiro know which pages should be protected:

[code lang=”java”]
public static void contributeSecurityConfiguration(Configuration configuration,
SecurityFilterChainFactory factory) {
// /authc/** rule covers /authc , /authc?q=name /authc#anchor urls as well

this configuration make the “/login” accessible without authentication and put protection on “/assets/”, “/myPage” and “/” pages.

Done, Done.


Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.