Selective REST API Authentication

Camunda 7 Topics Discussion & Questions
1

Is there an “easy” way to set up Camunda in WildFly so that requests to the HTTPS port 8443 will require REST API authentication and requests to the HTTP port will not?

We have some applications that can’t speak HTTP Basic Authentication, so I was trying to see if there’s a “hybrid” approach. I’m wondering if the properly filtering in the web.xml file would do it.

Thanks.

Michael

2

Hi @mppfor_manu,

I assume the easiest way would be to remove authentication filter in your webapp and enable basic authentication in HTTP server placed before the application server. Looks somewhat like this.

Does that help you?
Askar

3

Another option is to create domains specific per client application requirements. This assumes these external applications can manage with a few custom ReST interface calls.

For discrete security, access-controls I like to use annotations - This way you have one set of custom ReST interfaces with each defining its own access requirements.

@PermitAll

	@GET
	@Path("echoget/{hello}")
	@PermitAll
	@Produces(MediaType.APPLICATION_JSON)
	public String echoGet(@PathParam("hello") String hello) {

@RolesAllowed

	@GET
	@Path("secureechoget/{hello}")
	@RolesAllowed({"myusergroup","camgroup1","camunda-admin"})
	@Produces(MediaType.APPLICATION_JSON)
	public String secureEchoGet(@PathParam("hello") String hello, 
			@Context SecurityContext security) {

Here’s the source at github - for example only at this stage.

4

As always, thanks for the quick response from the best user community in the world!

However, this doesn’t really answer the question, or if it does, it answers it obliquely. Are you saying that there’s no way to modify the web.xml of the Camunda REST API war file (WildFly distribution)? We cannot modify the clients in any way and it’s not worth the effort to create any sort of custom authentication.

Thanks.

Michael

5

Hi Michael,

Another option could be to consider using an API gateway. Thus the engine is in a trusted zone, your clients are in a semi-trusted zone and the gateway mediates the two.

Hence the gateway is thus a reverse proxy. NGINX proxy pass directive can perform this kind of authenticated access…

Edit: I see this style was already suggested…

regards

Rob

6

Well, Rob, that’s actually what we’re doing for some client using Talend ESB.

It sounds like there is no way to do this through some simple web.xml configuration filters, and it’s not hyper-critical. It would just be convenient to support both authentication and non-authentication on different protocols.

Thanks.

Michael

7