Admin/Cockpit/Tasklist with Spring Security

I’m doning an spring boot WebApp with integrating Camunda.
All went fine, until I started to activate Spring Security.

As soon as Spring Security is activated, login into Admin/Cockpit/Tasklist failes - when disabling Spring Security again, everything is fine.

To reproduce:

application.properties
camunda.bpm.admin-user.id = xxx
camunda.bpm.admin-user.password = xxx
camunda.bpm.webapp.index-redirect-enabled = false

build.gradle:
springBootVersion = ‘2.0.4.RELEASE’

compile(‘org.springframework.boot:spring-boot-starter-web’)
compile ‘org.camunda.bpm.springboot:camunda-bpm-spring-boot-starter:3.0.0’
compile ‘org.camunda.bpm.springboot:camunda-bpm-spring-boot-starter-webapp:3.0.0’

All find, and
curl -X POST -H ‘Accept: application/json’ --data ‘username=xxx’ --data ‘password=xxx’ http://localhost:8080/didi/sai/pilot/api/admin/auth/user/default/login/welcome
{“userId”:“didi”,“authorizedApps”:[“admin”,“tasklist”,“welcome”,“cockpit”]}

But as soon as I add:
compile('org.springframework.boot:spring-boot-starter-security')
spring.security.user.name=xxx
spring.security.user.password=xxx
spring.security.user.role=xxx

protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/webapp/**").permitAll();
    //http.authorizeRequests().antMatchers("/api/admin/auth/user/didiBPE/login/welcome").permitAll();
}

I get Login Failed : Forbidden and
curl -i -X POST -H ‘Accept: application/json’ --data ‘username=xxx’ --data ‘password=xxx’ http://localhost:8080/didi/sai/pilot/api/admin/auth/user/default/login/welcome
HTTP/1.1 403 Forbidden
Set-Cookie: JSESSIONID=4D73C158BC59A39BE2A37C7D14BC22F1; Path=/didi/sai/pilot; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Date: Thu, 02 Aug 2018 19:18:36 GMT
Content-Length: 166
Server: lighttpd/1.4.49

Any idea how to have Camunda and Spring Sec in parallel?

Thx, Axel

Didn’t saw the tree in the forest yesterday:
http
.authorizeRequests()
.antMatchers("/").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
//.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.csrf().ignoringAntMatchers("/app/","/lib/","/api/**");
solved my problem :slight_smile:

2 Likes