Activating HTTPS on Camunda Spring-Boot

tunch · January 25, 2020, 11:53am

Hi everyone,

For our Camunda workflow service that coexists in a private cluster, we needed to activate HTTPS route over HTTP.

As we have a spring boot, I followed the following tutorial to activate HTTPS: How to enable HTTPS in a Spring Boot Java application.

JKS connection and redirecting from HTTP to HTTPS seem to work for webapps. However, when I land at the login page, the authentication fails.

Moreover every test rest call fails with a connection error (no response).
Camunda_rest_error

Other then creating ServerConfig and SecurityConfig configurations as proposed in the tutorial, I haven’t changed the existing code.

Any ideas out there? What am I missing?

Thank you in advance…
Tunch

tunch · January 27, 2020, 12:19pm

Sorry to disturb again but I cannot imagine that I am the only one who needed HTTPS on Spring-Boot for Camunda. Do you see any problems with the following referenced Security and Server configurations?

@Configuration
public class ServerConfig {

    @Bean
    public ServletWebServerFactory servletContainer() {
        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                SecurityConstraint securityConstraint = new SecurityConstraint();
                securityConstraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection collection = new SecurityCollection();
                collection.addPattern("/*");
                securityConstraint.addCollection(collection);
                context.addConstraint(securityConstraint);
            }
        };
        tomcat.addAdditionalTomcatConnectors(getHttpConnector());
        return tomcat;
    }

    private Connector getHttpConnector() {
        Connector connector = new Connector(TomcatServletWebServerFactory.DEFAULT_PROTOCOL);
        connector.setScheme("http");
        connector.setPort(8080);
        connector.setSecure(false);
        connector.setRedirectPort(8443);
        return connector;
    }
}

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .requiresChannel()
            .anyRequest()
            .requiresSecure();
    }
}

Our setup is the following (from POM):

    <camunda.version>7.11.0-ee</camunda.version>
    <camunda.spring.boot.starter.version>3.3.2</camunda.spring.boot.starter.version>
    <spring.boot.version>2.2.0.RELEASE</spring.boot.version>

As said, login page of webapps can be reached over HTTPS but any login attempt returns the error code 403 (Forbidden).

Moreover rest api does not seem to be available. Do I make a mistake in redirecting HTTP to HTTPS or problem might be somewhere else? Do we maybe need extra configurations for Camunda apart from the Spring configs?

Thanks in advance.

tunch · January 31, 2020, 11:19am

After 2 days of continuous searching and testing, I found “a” solution to this problem.

Apparently, Camunda Spring Boot starter already configures WebSecurityConfigurerAdapter and a parallel configuration via the SecurityConfig does not fit here. The inconsistency might have arised also due to the fact hat we already enabled Camunda authorizations extending SpringBootProcessEnginePlugin as follows:

    @Override
    public void preInit(SpringProcessEngineConfiguration processEngineConfiguration) {
      super.preInit(processEngineConfiguration);
      // Authorization rules
      if (!processEngineConfiguration.isAuthorizationEnabled()) {
        processEngineConfiguration.setAuthorizationEnabled(true);
      }
    }

At the end, keeping only previously given ServerConfig and removing the new SecurityConfig class from the sources and the related dependency entry:

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-test</artifactId>
			<scope>test</scope>
		</dependency>

from the pom.xml solved our problem.

Now we can see that HTTPS EPs are available and HTTP traffic is routed to HTTPS. In our cluster we already deactivated HTTP traffic, and everything works as before, including authentication/authorization schemes and prod/test Rest APIs .

I hope these findings can help someone.

Niall · January 31, 2020, 11:21am

Thanks for letting us know about how you progressed with this!

pradeep.poojari · October 15, 2020, 2:06pm

Hi @tunch I followed exactly what you have mentioned. However, I am getting below error .

tunch · October 16, 2020, 10:46am

Hi @pradeep.poojari, can you post your POM? We received the same error when SecurityConfig class was still available in POM and was referenced in the code.

pradeep.poojari · October 16, 2020, 11:23am

Hi @tunch Thanks for this post. I was able to login without spring dependency added in POM.

But In our case, we will use spring security to do SSO to login to camunda in https mode. Any idea in that case how to run Camunda in HTTPS mode?

tunch · October 18, 2020, 1:08pm

Hi @pradeep.poojari, unfortunately I don’t have any first hand experience with SSO on Spring-Boot. Hence I can’t directly help.

However the following Camında SSO community extension: https://github.com/camunda/camunda-bpm-identity-keycloak

And the discussion thread on how to embed it to Camunda Spring-Boot distro might help…
Integration of camunda with keycloak SSO

Have a good Sunday
Tunç

system · January 30, 2024, 12:10pm