Secure custom REST Endpoints with Webapps' Session

Hi everyone,

I want to use Camunda for process management in our firm. For a start, I’d like to use the builtin Webapps to execute and control processes. In addition, I want to make use of Camunda’s embedded Forms capabilities. Currently, I’m using Camunda with Spring Boot starters.

In our forms, we need additional data that is saved in our Database. As far as I can see, the only possible way to accomplish this is by providing the data via custom REST-Endpoints and retrieve the information with Angular HTTP.
I want to secure our custom REST-Endpoints using the same Session Cookie which is used for securing Webapps and their APIs, i. e. /api/* and /app/*.

How can I register, say /custom-api/*, as an additional path that is secured by the same authentication provider, which are securing the Webapps’ endpoints?

Thank you in advance.

Hi @adippel,

If you take a look at web.xml file of camunda webapp, you would see a security filter is defined where below json file is used as the configuration point from which you can set deniedPaths & allowedPaths


You can use above configuration file to restrict access to your custom rest endpoint too. but your custom rest application should be defined under camunda webapp context in this case.

Hi @hassang ,

I did find these rules, however, I thought that this needs too much fiddling around and doesn’t integrate neatly.
I figured out another approach that should to be working fine.
I’m registering a custom Filter for the URL pattern /custom-api/*. The filter itself is looking up the Authentications from the session. If no authentications are found, then the User hasn’t logged in before.

public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) servletRequest;
    HttpServletResponse res = (HttpServletResponse) servletResponse;
    HttpSession sess = req.getSession();

    Authentications authentications = Authentications.getFromSession(sess);
    if(authentications.getAuthentications().size() == 0) {
        sendUnauthorized(req, res);
    } else {
        filterChain.doFilter(servletRequest, servletResponse);

Do you see anything wrong in doing it this way?