How to use RequestAuthorizer and Authentications class?

Hi,

we currently are in the process of evaluating Camunda BPM and I’m playing around with the authentication at the moment.

Unfortunately, I got stuck trying to use the EngineRequestAuthorizer:

Solely using HTTP Basic Authentication based on the HttpBasicAuthenticationProvider actually works without any issues, but if I also try to use an additional authorizer for requests to the engine, I’m not able to authenticate anymore.

Authentications.getCurrent() is always empty, but identityService.getCurrentAuthentication() returns the correct authenticated user ID though.

So requests only work if I grant anonymous authorization in the request authorizer.

Can you give me some hints or point me to some documentation? What am I probably missing?
Or what did I get wrong?

Thanks in advance!

Andreas

Hi Andreas,

Can you please explain what you are trying to achieve in more detail? Are you trying to extend the authentication procedure for the Camunda web application or for a custom application?

While HttpBasicAuthenticationProvider is a REST API class and mentioned in the documentation. EngineRequestAuthorizer is an internal class of the Camunda webapps that in combination with org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter implements session-based authentication. It is not supposed to be reused in custom projects, however there is also no reason why you should not do it. I assume you are missing the latter class as a servlet filter since it calls the method Authentications#setCurrent.

Cheers,
Thorben

Hi Thorben,

thanks for your reply! That clarifies a lot.

At that point there’s nothing special I want to achieve. Instead I’m playing around with the authentication procedure to get to know what’s available out of the box and could be useful for our application going forward.

You’re perfectly right regarding the AuthenticationFilter class. I didn’t see that one and wasn’t aware of the fact that the request authorizer is intended for session-based authentication.
Instead, I assumed it would be some sort of second level security mechanism when I saw it in the securityFilterRules.json.

I think we’ll be fine with the HttpBasicAuthenticationProvider then, but good to know where to get started if a session-based approach is required though.

Regards,
Andreas