How to secure embeded camunda rest api

khalid.nouh · March 30, 2021, 1:10pm

how i can secure embeded camunda rest api in a springboot app, as it apis can be accessed by anyone who get the url, how i can prevent this
regards

Niall · March 30, 2021, 1:23pm

You just need to update the authorization settings in the application.yml by default the security is turned off, so you just need to turn it back on.

khalid.nouh · March 30, 2021, 1:25pm

how i can turn it on ?

Niall · March 30, 2021, 1:25pm

Sorry, i meant to post this link with my last comment
https://docs.camunda.org/manual/latest/user-guide/spring-boot-integration/configuration/

khalid.nouh · March 30, 2021, 1:28pm

you meant this
camunda.bpm:
authorization:
enabled: true ?

Niall · March 30, 2021, 1:29pm

I do indeed!
be sure the get the format correct though

camunda.bpm:
  authorization:
    enabled: true

khalid.nouh · March 30, 2021, 1:32pm

i change the yml file but no changes ,
still i get access to end points like this
http://localhost:8087/engine-rest/process-definition
http://localhost:8087/engine-rest/task

aravindhrs · March 30, 2021, 1:39pm

@khalid.nouh You need to create a filter registration bean and provide an authentication provider like below:

github.com

aravindhrs/camundaenterprise/blob/master/src/main/java/com/bpm/camunda/config/CamundaSecurityFilter.java

package com.bpm.camunda.config;

import javax.servlet.Filter;
import org.camunda.bpm.engine.rest.security.auth.ProcessEngineAuthenticationFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class CamundaSecurityFilter {

  @Bean
  public FilterRegistrationBean<Filter> processEngineAuthenticationFilter() {
    FilterRegistrationBean<Filter> registration = new FilterRegistrationBean<>();
    registration.setName("camunda-auth");
    registration.setFilter(getProcessEngineAuthenticationFilter());
    registration.addInitParameter("authentication-provider",
        "org.camunda.bpm.engine.rest.security.auth.impl.HttpBasicAuthenticationProvider");
    registration.addUrlPatterns("/engine-rest/*");
    registration.setOrder(1);

This file has been truncated. show original

khalid.nouh · March 30, 2021, 1:46pm

that’s woks thanks @aravindhrs
one question more
if i want to send user and password throw rest api how it should be?
could you give me the correct url with params
on this way
http://localhost:8087/engine-rest/task?username=demo&password=demo

aravindhrs · March 30, 2021, 1:50pm

@khalid.nouh You should pass the Basic Auth details in the Http request header.

Sample Postman request:

Curl command:

curl --location --request GET 'http://localhost:8080/engine-rest/engine'  --header 'Authorization: Basic ZGVtbzpkZW1v'

khalid.nouh · March 30, 2021, 1:51pm

okay but if i want to call it form external rest , will send them as parameters how this

aravindhrs · March 30, 2021, 1:54pm

curl --location --request GET 'http://localhost:8080/engine-rest/engine'  --header 'Authorization: Basic ZGVtbzpkZW1v'

Java - OkHttp:

OkHttpClient client = new OkHttpClient().newBuilder()
  .build();
Request request = new Request.Builder()
  .url("http://localhost:8080/engine-rest/engine")
  .method("GET", null)
  .addHeader("Authorization", "Basic ZGVtbzpkZW1v")
  .build();
Response response = client.newCall(request).execute();

Should be part of the request header.

khalid.nouh · March 30, 2021, 1:55pm

okay thanks @aravindhrs too much

vaishaliarora · July 13, 2021, 8:41pm

What to do Incase I have to pass headers along with that ?

system · January 30, 2024, 12:58pm