Prerequisites • Exercise 0 • Exercise 1 • Exercise 1.1 • Exercise 2 • Exercise 3 • Exercise 4 • Exercise 5 • Exercise 6 • Exercise 7
In Exercise 1, you added a client certificate to your browser in order to be allowed to access the DIC FHIR
server. In later exercises we will also use some of the other DSF installations like the cos.dsf.test or hrp.dsf.test. You could add a
client certificate to your browser for each one, or you could configure yourself a specific DSF user
with access to all DSF installations.
This is part of the DSF's access control using the role configuration mechanism. It allows you to specify
exact rules for accessing the FHIR REST API and starting processes for certain users. Either by providing
thumbprints of their client certificates or by using OpenID Connect.
For this exercise, we will include OpenID Connect in the configuration through a Keycloak instance. We have already created a user for you in the DIC realm who has sufficient
access to the FHIR REST API and who is allowed to start our dicProcess.
The administration console for Keycloak is accessible under https://keycloak:8443.
Credentials for administrator access are username: admin and password: admin. There is also a DSF Role Config for the DIC FHIR server instance set up in accordance with the Keycloak configuration.
Your task will be to take this user and explicitly allow them to start the dicProcess. Optionally, you can also add
Keycloak users for the COS and HRP instances.
Documentation topics related to this exercise are Access Control and ActivityDefinitions.
-
Change the
requesterelement in the ActivityDefinitiondic-process.xmlto allow all local clients with a practitioner role ofDSF_ADMINto requestdicProcessmessages.Don't know how to change the ActivityDefinition?
There is a list of examples for the
requesterelement here. You can also check out the guide on creating ActivityDefinitions. -
We just made it so you will not be able to start the
dicProcessusing the client certificate used in earlier exercises. Add anotherrequesterto the ActivityDefinitiondic-process.xmlwhich allows local clients from thedic.dsf.testorganization to requestdicProcessmessages, in case you still want to use the client certificate to start the process.Don't know how to change the ActivityDefinition?
There is a list of examples for the
requesterelement here. You can also check out the guide on creating ActivityDefinitions. -
Just like in exercise 2, we just changed a FHIR resource in a way that breaks compatibility with older versions of the plugin. Therefore, we need to signal this change by incrementing the resource version to
1.2.
Execute a maven build of the dsf-process-tutorial parent module via:
mvn clean install -Pexercise-3
Verify that the build was successful and no test failures occurred.
To verify the exampleorg_dicProcess can be executed successfully, we need to deploy it into a DSF instance and execute the process. The maven install build is configured to create a process jar file with all necessary resources and copy the jar to the appropriate locations of the docker dev setup.
-
Start the DSF FHIR server for the
dic.dsf.testorganization in a console at location.../dsf-process-tutorial/dev-setup:docker-compose up dic-fhirVerify the DSF FHIR server started successfully at https://dic/fhir.
-
Start the DSF BPE server for the
dic.dsf.testorganization in second console at location.../dsf-process-tutorial/dev-setup:docker-compose up dic-bpeVerify the DSF BPE server started successfully and deployed the
exampleorg_dicProcess. -
Visit https://dic/fhir. First, use the client certificate to log into the DSF FHIR server and make sure you are still able to start a
exampleorg_dicProcessvia the web interface. -
Now try doing it again, but this time use Keycloak to log in. Your username and password are both
tutorial. Also, you might have to clear your browser's SSL state because it keeps using the client certificate from before. Afterward, you can visit https://dic/fhir again but refuse to send a client certificate when asked. This should forward you to the Keycloak login page.
If all went well, you should have been able to start the process via both the client certificate and the Keycloak user.
Prerequisites • Exercise 0 • Exercise 1 • Exercise 1.1 • Exercise 2 • Exercise 3 • Exercise 4 • Exercise 5 • Exercise 6 • Exercise 7