Activating HTTPS on Camunda Spring-Boot

Hi everyone,

For our Camunda workflow service that coexists in a private cluster, we needed to activate HTTPS route over HTTP.

As we have a spring boot, I followed the following tutorial to activate HTTPS: https://www.thomasvitale.com/https-spring-boot-ssl-certificate/.

JKS connection and redirecting from HTTP to HTTPS seem to work for webapps. However, when I land at the login page, the authentication fails.

Moreover every test rest call fails with a connection error (no response).
Camunda_rest_error

Other then creating ServerConfig and SecurityConfig configurations as proposed in the tutorial, I haven’t changed the existing code.

Any ideas out there? What am I missing?

Thank you in advance…
Tunch

1 Like

Sorry to disturb again but I cannot imagine that I am the only one who needed HTTPS on Spring-Boot for Camunda. Do you see any problems with the following referenced Security and Server configurations?

@Configuration
public class ServerConfig {

    @Bean
    public ServletWebServerFactory servletContainer() {
        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                SecurityConstraint securityConstraint = new SecurityConstraint();
                securityConstraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection collection = new SecurityCollection();
                collection.addPattern("/*");
                securityConstraint.addCollection(collection);
                context.addConstraint(securityConstraint);
            }
        };
        tomcat.addAdditionalTomcatConnectors(getHttpConnector());
        return tomcat;
    }

    private Connector getHttpConnector() {
        Connector connector = new Connector(TomcatServletWebServerFactory.DEFAULT_PROTOCOL);
        connector.setScheme("http");
        connector.setPort(8080);
        connector.setSecure(false);
        connector.setRedirectPort(8443);
        return connector;
    }
}
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .requiresChannel()
            .anyRequest()
            .requiresSecure();
    }
}

Our setup is the following (from POM):

    <camunda.version>7.11.0-ee</camunda.version>
    <camunda.spring.boot.starter.version>3.3.2</camunda.spring.boot.starter.version>
    <spring.boot.version>2.2.0.RELEASE</spring.boot.version>

As said, login page of webapps can be reached over HTTPS but any login attempt returns the error code 403 (Forbidden).

Moreover rest api does not seem to be available. Do I make a mistake in redirecting HTTP to HTTPS or problem might be somewhere else? Do we maybe need extra configurations for Camunda apart from the Spring configs?

Thanks in advance.

1 Like

After 2 days of continuous searching and testing, I found “a” solution to this problem.

Apparently, Camunda Spring Boot starter already configures WebSecurityConfigurerAdapter and a parallel configuration via the SecurityConfig does not fit here. The inconsistency might have arised also due to the fact hat we already enabled Camunda authorizations extending SpringBootProcessEnginePlugin as follows:

    @Override
    public void preInit(SpringProcessEngineConfiguration processEngineConfiguration) {
      super.preInit(processEngineConfiguration);
      // Authorization rules
      if (!processEngineConfiguration.isAuthorizationEnabled()) {
        processEngineConfiguration.setAuthorizationEnabled(true);
      }
    }

At the end, keeping only previously given ServerConfig and removing the new SecurityConfig class from the sources and the related dependency entry:

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-test</artifactId>
			<scope>test</scope>
		</dependency>

from the pom.xml solved our problem.

Now we can see that HTTPS EPs are available and HTTP traffic is routed to HTTPS. In our cluster we already deactivated HTTP traffic, and everything works as before, including authentication/authorization schemes and prod/test Rest APIs .

I hope these findings can help someone.

3 Likes

Thanks for letting us know about how you progressed with this!

1 Like