All Users Have Admin Access With Spring Boot

When I create users using the Spring Boot (embedded Process Engine) version using the Admin application, the users do not have any restrictions at all.

From vanilla install, the database is created and the form shows to create the admin user. Using this admin user any other created users have full permission. It is as though these users are “superusers” and changing their permissions makes no difference. I did not have this problem with a stand-alone process engine.

The log shows a warning when the Admin page loads:

o.glassfish.jersey.servlet.WebComponent  : A servlet request to the URI http://localhost:8090/api/admin/auth/user/default/login/admin contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.

Camunda version 7.6.0 with

<groupId>org.camunda.bpm.extension.springboot</groupId>
<artifactId>camunda-bpm-spring-boot-starter-webapp</artifactId>
<version>2.0.0</version>

and H2 database

<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>1.3.171</version>

Hi @johnshaw1000,

this sounds similar to the topic: https://forum.camunda.io/t/camunda-spring-boot-authorization-feature-or-bug

Best regards,
Philipp

Not quite the same issue though likely to be similar root cause. Authorization is off, I found a workaround to switch it on:

@Configuration
public class MyProcessEngineConfiguration extends SpringBootProcessEnginePlugin {

    @Override
    public void preInit(SpringProcessEngineConfiguration processEngineConfiguration) {
        super.preInit(processEngineConfiguration);
        if (!processEngineConfiguration.isAuthorizationEnabled()) {
            processEngineConfiguration.setAuthorizationEnabled(true);
        }
    }
}
2 Likes

Where did you find this? any guide doc?

Hi @jeremy_chou,

have a look here: https://docs.camunda.org/manual/7.12/user-guide/process-engine/authorization-service/#enable-authorization-checks

Hope this helps, Ingo

Thanks for your kindly reply, I resolved this issue by using config camunda.bpm.authorization.enable= true