Authorization for Camunda REST API

Hi,

I am starting a process instance using Camunda rest API (POST /process-definition/key/aProcessDefinitionKey/start) . Am making an ajax POST call.

Currently, whoever has the process engine url can start the process. So i want to introduce JWT authorization to avoid this. Are there any good examples available on how to do this?

I have gone through documentation but didn’t find configuration steps or any examples explaining how this can be configured.

Any help is greatly appreciated.

Thanks.

Camunda supports Basic Auth mechanism, by default it was disabled. You can enable if needed. For JWT Authorization, you can provide configurations by using Spring Security module. You need to include jjwt.jar dependency in classpath for JWT Authorization.

Refer this docs for JWT implementation: https://github.com/jwtk/jjwt

Code for enabling Basic Auth:

@Configuration
public class CamundaSecurityFilter {

  @Bean
  public FilterRegistrationBean<Filter> processEngineAuthenticationFilter() {
    FilterRegistrationBean<Filter> registration = new FilterRegistrationBean<>();
    registration.setName("camunda-auth");
    registration.setFilter(getProcessEngineAuthenticationFilter());
    registration.addInitParameter("authentication-provider",
        "org.camunda.bpm.engine.rest.security.auth.impl.HttpBasicAuthenticationProvider");
    registration.addUrlPatterns("/*");
    registration.setOrder(1);
    return registration;
  }

  @Bean
  public Filter getProcessEngineAuthenticationFilter() {
    return new ProcessEngineAuthenticationFilter();
  }
}
2 Likes

Sorry, am very much new to this authorization procedure and camunda as well.

we are not placing any code on wildfly where camunda is configured. except that we are deploying the bpmn files and then using external service for implementations and inline scripts.

So, where do i place this code for enabling authorization?

Are you using camunda-wildfly distribution or as microserivces?

we are using camunda-wildfly distribution, but don’t want to deploy any code on it.

If it’s SpringBoot application of camunda, i can share you the code. You can try to check configuration in standalone.xml.

@thorben @Philipp_Ossler @Niall can anyone provide your inputs here, how to configure JWT authorization in camunda-wildfly distribution?

@aravindhrs, I would like for you to share codes. I’m new to Camunda and Spring boot.

BR

@Samson_Quaye sure :slight_smile:

sorry about the typo, I actually meant, that i would like for you to share some codes, if that’s possible.

yes please

Hey there. I’m using the Camunda Engine with Spring Boot and a basic Camunda Starter Project. I’m trying to be able to execute API calls where you need to be authenticated. If I implement the class that @aravindhrs mentioned I’m able to get the API call done.

But I at least think that is not correct way or is it the only way? After I found the documentation for Spring Boot and Camunda I added this lines to my application.yaml and thought the basic authorization would work now but it does not:

camunda.bpm:
  run:
    auth.enabled: true

What I’m trying to achieve is an API call with Postman (Perform an Authorization Check):
{{baseUrl}}/authorization/check?permissionName=ALL&resourceName=*&resourceType=1

But as you can see it does not work:

Is this Spring Configuration file really the only way to activate the authentication?

@CptDayDreamer You must register ProcessEngineAuthenticationFilter to the FilterRegistrationBean for enabling rest api authorizations.

1 Like

Hi ,On the same lines , Authorization for Camunda Rest API,for Users in Custom DB.
We followed as said in
https://github.com/camunda-community-hub/camunda-bpm-identity-keycloak#readme.
We were able to Integrate the Camunda Engine/Web app and our Application User DB.
Challenges exist in terms of auithoring/allowing one/more users for every step involved.Appreciate If Someone can point on it.

Rgds
Chandy

Can you give more specifics about what exactly you’re trying to do?
Are you saying that you would like the same use to complete all steps of a given process that they start?

Hi Niall,
We have developed our application in Microservices Architecture,And we have need to involve the Work flows , our Application has users in Keycloak, and we are using Keycloak (JWT Authorization) for Application authorization thru spring boot,
Now We have to call the Workflows from our Spring boot application( which has the application specific *.bpmn etc embedded),
So we have deployed the camunda as a spring boot, Web App for the Admin GUI, and as a Rest API , To be specific we have to allow specific users to start the Processes, and ,specific user to continue the steps involved in completing, So how to allow Authorize Step Rest API for tha specific user. For every workflow definied, when the process starts ,only then the users who can complete the step will be feeded, So its dynamic. "Authorization of Entitled user in Rest API "
Are you saying that you would like the same use to complete all steps of a given process that they start? thanks for that, yes that too…
Rgds