Hi there,
we try to protect the camunda cockpit with SSO (Keycloak). We already have seen the example (https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso) and tried to integrate it in our project.
We took the SpringSecurityAuthenticationProvider from the example and updated the SecurityConfig with our own.
Our SecurityConfig looks like:
http
.cors().and()
// disable csrf for api
.csrf().disable()
// authorize requests
.authorizeRequests()
// allow OPT for all requests (CORS)
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
// exclude camunda routes from security
.antMatchers(HttpMethod.GET, "/app/**").permitAll()
.antMatchers(HttpMethod.PUT, "/app/**").permitAll()
.antMatchers(HttpMethod.POST, "/app/**").permitAll()
.antMatchers(HttpMethod.GET, "/lib/**").permitAll()
.antMatchers(HttpMethod.PUT, "/lib/**").permitAll()
.antMatchers(HttpMethod.POST, "/lib/**").permitAll()
.antMatchers(HttpMethod.GET, "/api/**").permitAll()
.antMatchers(HttpMethod.PUT, "/api/**").permitAll()
.antMatchers(HttpMethod.POST, "/api/**").permitAll()
// allow health checks
.antMatchers(HttpMethod.GET, "/actuator/health").permitAll()
.antMatchers(HttpMethod.GET, "/actuator/info").permitAll()
// only allow authenticated users to call API
.antMatchers(HttpMethod.GET, "/**").authenticated()
.antMatchers(HttpMethod.PUT, "/**").authenticated()
.antMatchers(HttpMethod.POST, "/**").authenticated()
// whitelisting, everything else is denied
.anyRequest().denyAll();
Unfortunately the SpringSecurityAuthenticationProvider is never used. Can anyone explain us how it works? Where exactly do we get the User from Keycloak? Do we need any further code?