MAC | Elyas Syoufi

MAC

Workflow and BPM delivery on Flowable, Angular, and Spring.

MAC: Workflow / BPM Application

Enterprise case management and workflow platform built on Flowable 6.6 for CRA with a custom Angular frontend and Spring Boot backend, deployed as WAR to JBoss/WildFly with Kerberos SSO and PostgreSQL storage.

At a glance

62 Angular components · 7 Flowable REST API clients · 12 form field types · 3 BPM engines · Lead developer

MAC — Workflow / BPM application for CRA — wraps Flowable 6.6 engine

BPMN — Business Process Model and Notation — sequential workflow orchestration

CMMN — Case Management Model and Notation — ad-hoc case handling

DMN — Decision Model and Notation — decision tables and rule evaluation

Flowable — Open-source BPM engine (v6.6) providing BPMN, CMMN, and DMN runtime

IDM — Identity Management — Flowable’s user/group management module

Angular Components

Flowable REST API Clients

Form Field Types

BPM Engines

Architecture

C4 Container view showing deployment topology and engine integration. Angular 16 SPA and Spring Boot backend packaged as a single WAR, deployed to JBoss/WildFly with three Flowable engines (BPMN + CMMN + DMN), Kerberos SSO via SPNEGO, and PostgreSQL storage for both process data and uploaded documents.

CRA Staff

Workflow users on domain-joined workstations

HTTPS / SPNEGO

MAC System

mac-web

Angular 16 · Angular Material · Bootstrap 4 · RxJS · TypeScript 5.1 · CRA RCCR libs

62 components

Task InboxWork ItemsTask DetailsStart FormsBPMN ViewerCMMN ViewerDMN Viewer

JSON / REST + proxy.conf.js

mac-server

Spring Boot 2.3.4 WAR · Java 8 · Flowable 6.6 · JPA/Hibernate

7 API clients

Flowable REST OverridesSPNEGO AuthContent StorageProcess Auto-DeployAPI InterceptorsPeople Search

Flowable Engine Integration

Flowable Engines

BPMN Engine

Process orchestration

CMMN Engine

Case management

DMN Engine

Decision tables

JDBC / JPA

PostgreSQL

Schema mac · Hikari pool 5–50

Enterprise Integrations

Kerberos / KDC

SPNEGO

SSO authentication

Active Directory

LDAP

Employee lookup & people search

CRA RCCR Artifactory

npm/Maven

Shared component libraries

SMTP Server

SMTP

Workflow notifications

WAR deployed to JBoss/WildFly — Angular assets bundled, context path /mac

Key Architectural Decisions

T1 — Security

SPNEGO/Kerberos auth bridged into Flowable identity context on every request via SpnegoHttpFilter → AuthenticatedUserFilter chain

Line of thinking

Why: Flowable needs a user identity for task assignment, process variables, and audit trails. Rather than maintaining a separate session or login form, we bridge the existing Kerberos/SPNEGO token directly into Flowable’s identity context. SpnegoHttpFilter validates the Kerberos ticket, AuthenticatedUserFilter maps the Windows principal to a Flowable user. This runs on every request — no session state, no login page.

HTTP Request

Negotiate header (Kerberos ticket)

SPNEGO

MAC Security Pipeline

SpnegoHttpFilter

Validates Kerberos ticket, extracts Windows identity

Principal

AuthenticatedUserFilter

Maps Windows identity to Flowable user context

Identity set

Flowable Engine

User identity available for task assignment, process variables, audit

Every request bridges Kerberos identity into Flowable — no session-based auth, no login form

1 / 6

MAC is an enterprise workflow and BPM application for CRA, wrapping the Flowable 6.6 engine (BPMN + CMMN + DMN) with a custom Angular 16 frontend and Spring Boot backend. Key architectural decisions: database-backed document storage (JPA ContentItem + DatabaseContentStorage) instead of filesystem; custom Flowable REST overrides for diagram and entity-link endpoints; SPNEGO/Kerberos auth bridged into Flowable identity context on every request. Deployed as WAR to JBoss/WildFly with Kerberos SSO and PostgreSQL.