Whitelisting Spring beans for Camunda

It is possible to use custom code in your BPMN processes by referencing a Spring bean that contains the code you want to run. Any spring bean can be used in expressions by using the bean name.

ProcessBean annotation

Camunda by default allows access to Spring beans, e.g. to send an email. Valtimo provides a whitelist for this instead, as exposing every bean is a security concern. In order to add a Spring bean to this whitelist, the bean definition itself has to be whitelisted. This is done with the @ProcessBean annotation.

  1. Ensure a bean for the class that should be whitelisted is provided.

    @Bean
    fun somethingService(): SomethingService {
       return SomethingService()
    }
  2. Add the @ProcessBean annotation.

    @Bean
    @ProcessBean
    fun somethingService(): SomethingService {
       return SomethingService()
    }

The bean can now be used. For information on how to use these beans inside a BPMN, see here.

Note: the whitelist can be disabled by setting the following Spring property to false.

application.yml

valtimo:
  camunda:
    bean-whitelisting: false

Last updated