Cleanest way to segregate Rest and WebApp URls from rest of SpringBoot Rest APIs

@jangalinski what is the cleanest/best way to setup HttpSecurity on Springboot to segregate the Camunda Rest API and Web apps?

There seems to be a mess of different configurations…

There is:

  1. spring.jersey.application-path: .... for the rest api
  2. There is the Web Apps url (/app/** ? ) (which seems to be server.context ?)
  3. And there is activating REST Auth on the Engine.

From what I see there is using the Additional Filter such as, which will use the Users of the Camunda DB.

Is there a Way to set custom WebAPP Urls without effecting the rest of the Spring Boot App (The non-camunda parts) ?

The goal here would be to push the engine’s rest endpoints and the Web apps into their own path such as /camunda/rest/... and camunda/webapps/...

Rest you can do this wth spring.jersey.application-path, but Web Apps can support this?

Am i missing a config for this?


Hi Stephen,

although I did a lot of work for the spring extension in the past, it meanwhile is an official camunda library, so better do not address those kind of questions directly to me … you will have more feedback if it does not seem like a conversation.

To your question: I have to admit that I am not that deep into web-security and the camunda-jersey-setup worked “somehow” with spring boot, but I never really researched why. When it comes to details, there has been a lot of hints and discussions in this forum, but I wont be any help.


Thanks Jan. Since this was a legacy “feature” from when you were working on it, I hopped you had the trinket of knowledge :wink:

Unfortunately not … but I remember bringing jersey and spring mvc together was fun.

Shouldnt the word fun be in quotes :wink:fun

I think we are starting to settle on the idea, that the Rest API and Webapps should likely just be their own maven modules in a project that use the same DBs.

So that you can just put the Rest api on its own port and the web apps on its own port and use the defaults configurations.

The amount of layers that seem to be required for running the rest-api, web-apps, and the non-camunda apis all together, with tailoring of the endpoints are increasingly messy, and just waiting for a “accident”.

It would seem that the “strategy” would be to run these always as their own modules/apps so you can control them in their own isolation.