Setting Application Authorization with LDAP, Spring Boot

Camunda 7 Topics Discussion & Questions
,
1

Hi good people :slight_smile:
I am using OpenLDAP for the first time and am trying to create user access levels in Admin, but when I try to set a User group to access only Tasklist, they are still able to access Admin and Cockpit. Iā€™m assuming that this is something that I should be setting in Admin even though I am using LDAP?

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();
    http.authorizeRequests().antMatchers("/").permitAll();
    http.headers().frameOptions().disable();
}
@Bean
public static AdministratorAuthorizationPlugin administratorAuthorizationPlugin() {
    AdministratorAuthorizationPlugin plugin = new AdministratorAuthorizationPlugin();
    plugin.setAdministratorUserName("demo");
    return plugin;
}

@Bean
public static LdapIdentityProviderPlugin ldapIdentityProviderPlugin() {
    LdapIdentityProviderPlugin plugin = new LdapIdentityProviderPlugin();
    plugin.setServerUrl("ldap://localhost:389");
    plugin.setManagerPassword("demo");
    plugin.setSecurityAuthentication("simple");
    plugin.setBaseDn("dc=maxcrc,dc=com");
    plugin.setManagerDn("cn=Manager,dc=maxcrc,dc=com");

    plugin.setGroupIdAttribute("cn");
    plugin.setGroupNameAttribute("cn");
    plugin.setGroupMemberAttribute("member");
    plugin.setAuthorizationCheckEnabled(true);

    return plugin;

My application.yaml

spring:
datasource:
platform: mysql
url: jdbc:mysql://127.0.0.1:3306/CamundaDB?createDatabaseIfNotExist=true
username: root
password: root
driver-class-name: com.mysql.cj.jdbc.Driver

jpa:
hibernate:
# To be updated in real production usage!
ddl-auto: create-drop

server:
port: 8080

Setting in Admin

Authorization
Authorization946Ɨ414 31.2 KB

1 Like
2

Hi @Jennie
Welcome along to the forum.

Can you give me a few more details about how you setup the users and what the group->user association looks like?

3

Hi Niall,

I finally got it working after adding authorization in the application.yaml. I thought this was redudant as I set authorization by code, but maybe they are setting different authorizations?

YAML
camunda:
bpm:
authorization:
enabled: true

Code
plugin.setAuthorizationCheckEnabled(true);

1 Like
4