Hi @wolfram,
Can you provide the versions of Camunda and the Spring Boot/Spring Boot Starter that you are using?
The error seems like it’s related to the CSRF filter that we have enabled. In the more recent versions it was enabled on the Spring Boot Starter Rest API as well, but it was fixed in the next patch version.
Best,
Nikola
Hi @nikola.koevski,
I combined incompatible versions of SpringBoot, Camunda Starter and Camunda Engine.
after checking [https://docs.camunda.org/manual/7.11/user-guide/spring-boot-integration/version-compatibility/](http://Spring Boot Version Compatibility) I came a bit closer.
Ultimately I pulled old Camunda jars from a https://mvnrepository.com/artifact/org.camunda.bpm.extension.springboot/camunda-bpm-spring-boot-starter-rest once I used the following in my pom.xml it worked
<repositories>
<repository>
<id>camunda-bpm-nexus</id>
<name>camunda-bpm-nexus</name>
<url>https://app.camunda.com/nexus/content/repositories/camunda-bpm-ee</url>
</repository>
<repository>
<id>camunda-bpm-nexus-public</id>
<name>camunda-bpm-nexus-public</name>
<url>https://app.camunda.com/nexus/content/groups/public</url>
</repository>
</repositories>can you give more insight on this and how to resolve?
I am facing the same issue running Camunda 7.11.0-ee with SpringBoot-Starter 3.3.1 and SpringBoot 2.1.5.RELEASE, which is a valid combination according to the docs.
Thank you!
Stefan
Hi @stefanzilske,
The problem has been resolved with Spring Boot Starter 3.3.1. You shouldn’t be seeing an error related to it.
Can you provide a log or stack trace when the problem occurs for you?
It would also be nice if you could explain your setup. Are you using both the Webapps and the Rest API?
Best,
Nikola
Hi Nikola,
I am facing the same issue.
An upgrade from Camunda 7.10 to Camunda 7.11 with
<camunda.spring.boot.version>3.3.1</camunda.spring.boot.version>
<spring.boot.version>2.1.5.RELEASE</spring.boot.version>
I use the webapps and the rest interface.
Everything is working fine except the tasklist webapp which is running but can’t get the current tasks of the user.
This is the massgae hat appears instead of the tasks:
Mislukking: Laden van de lijst met taken met fouten afgesloten. Probeer de pagina opnieuw te laden om het opnieuw te proberen
This appears in the log:
java.lang.IllegalStateException: Cannot create a session after the response has been committed
at org.apache.catalina.connector.Request.doGetSession(Request.java:2974) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.connector.Request.getSession(Request.java:2416) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:908) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:920) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at be.aquafin.bpm.filter.LoginAuthenticationFilter.doFilter(LoginAuthenticationFilter.java:93) ~[classes/:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.springframework.boot.actuate.web.trace.servlet.HttpTraceFilter.doFilterInternal(HttpTraceFilter.java:90) ~[spring-boot-actuator-2.1.3.RELEASE.jar:2.1.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.1.7.RELEASE.jar:5.1.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) ~[spring-web-5.1.7.RELEASE.jar:5.1.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.1.7.RELEASE.jar:5.1.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:92) ~[spring-web-5.1.7.RELEASE.jar:5.1.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.1.7.RELEASE.jar:5.1.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93) ~[spring-web-5.1.7.RELEASE.jar:5.1.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.1.7.RELEASE.jar:5.1.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:117) ~[spring-boot-actuator-2.1.3.RELEASE.jar:2.1.3.RELEASE]
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:106) ~[spring-boot-actuator-2.1.3.RELEASE.jar:2.1.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.1.7.RELEASE.jar:5.1.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200) ~[spring-web-5.1.7.RELEASE.jar:5.1.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.1.7.RELEASE.jar:5.1.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.16.jar:9.0.16]
at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]
I hope this will help to fix the problem
Best regards,
Stefan
Hi,
I have one thing to add.
After starting another application which uses the rest interface, the problem dissapears.
So suddenly the tasklist gives back the tasks. Probably now the user is properly logged in
S.
here is a complete stacktrace:
Servlet.service() for servlet [dispatcherServlet] in context with path [/myApp] threw exception
java.lang.IllegalStateException: Cannot create a session after the response has been committed
at org.apache.catalina.connector.Request.doGetSession(Request.java:2983)
at org.apache.catalina.connector.Request.getSession(Request.java:2416)
at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:908)
at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:920)
at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:249)
at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:249)
at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:249)
at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:249)
at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:249)
at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.AbstractRequestLoggingFilter.doFilterInternal(AbstractRequestLoggingFilter.java:262)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at ch.qos.logback.classic.helpers.MDCInsertingServletFilter.doFilter(MDCInsertingServletFilter.java:49)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.boot.actuate.web.trace.servlet.HttpTraceFilter.doFilterInternal(HttpTraceFilter.java:90)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:121)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:74)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:92)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:117)
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:106)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(AuthenticatedActionsValve.java:68)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:185)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:836)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1747)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
We are using webapps as well as REST-API, however this exception occurs in tests, where neither of them is involved. I am testing my own REST-API of the SpringBoot app, which also has Camunda embedded. Camundas AuthenticationFilter intercepts those calls and and is eagerly forces to create a new session (if no one is present) by calling req.getSession() instead of req.getSession(false). We have session management enabled only for the Camunda webapps btw.
We were upgrading from SpringBoot 2.1.2, Camunda 7.10.2-ee and SpringBoot-Starter 3.2.0.
Cheers,
Stefan
I haven’t been able to replicate your problem. Can you provide a sample project where the problem occurs so I can see reproduce it on my side?
Best,
Nikola
Hi @nikola.koevski,
not easily, as it is a customer’s service. I can try to reproduce in a standalone example. Will let you know is it is possible. Otherwise I will contact the EE support.
Thanks so far!
Stefan
unfortunately I was not able to reproduce this issue in a simple exampke I could share with you. I guess it is specific to our envirnment, which is also running Keycloak and has a specific SpringSecurity configuration.
Is there any way I can replace Camunda’s AuthenticationFilter with my own implementation?
Cheers,
Stefan
Hi @stefanzilske,
Thanks for the response.
Are you using a custom context path or the default one for the Rest API and the Webapps? Also, what is the context path of your Rest API?
Regarding your question, you can extend and replace the CamundaBpmWebappInitializer bean here: https://github.com/camunda/camunda-bpm-spring-boot-starter/blob/4556113db9db09592f32752aef7a79e0e63fc1d1/starter-webapp-core/src/main/java/org/camunda/bpm/spring/boot/starter/webapp/CamundaBpmWebappAutoConfiguration.java#L46-L49.
You can find the CamundaBpmWebappInitializer class here: https://github.com/camunda/camunda-bpm-spring-boot-starter/blob/master/starter-webapp-core/src/main/java/org/camunda/bpm/spring/boot/starter/webapp/CamundaBpmWebappInitializer.java#L89.
To debug the problem, I would start by disabling the CsrfPreventionFilter since that is the one responsible for closing off the current session if a CSRF Token is missing.
Is the problem removed by making these changes?
Best,
Nikola
Hi @nikola.koevski,
we define our own server.servlet.context-path: /custompath, so Camunda webapps are at /custompath/app/ and REST-API at /custompath/rest/.
When I override CamundaBpmWebappInitializer and disable the CsrfPreventionFilter, the errors are gone. I will perform some more tests, to validate that everything else works like expected, but it looks much better.
Edit: I just realized, that we disabled csrf support in our SpringSecurity configuration. Most likely because we don’t need it behind our Keycloak anyway. I will see if I can enable it without side effects and if this will solve the problem, when the CsrfPreventionFilter is active.
Edit2: No, enable csrf through SpringSecurity does not help. So it comes down to diasbling Camunda’s csrfPreventionFilter.
Cheers,
Stefan
Hi @stefanzilske,
Thanks for the extra information. I will try to replicate the issue.
Is your own Rest API also located at /custompath/rest/?
Best,
Nikola
No, it’s at /custompath/api/ and /custompath/webresources/.
@stefanzilske this makes it clearer.
The /custompath/api/ is actually mapped in the CsrfPreventionFilter through the /api/* parameter here:
registerFilter("CsrfPreventionFilter", SpringBootCsrfPreventionFilter.class, properties.getWebapp().getCsrf().getInitParams(),"/api/*", "/app/*");
Any modifying requests sent at endpoint on this path will expect a CSRF token.
The /api/* and /app/* segments come from the Camunda Webapps and can’t be changed, so without overriding CamundaBpmWebappInitializer and disabling the CsrfPreventionFilter, you would have to change the context path of your Rest API (ex. /custompath/rest-api/).
Does modifying the context path of your Rest API solve the problem?
Best,
Nikola
yes, changing our API-path solves the problem. Unfortunately, since our application has already grown for a while and as we are running Camunda in several Microservices, changing the path is not a short-term solution. So I guess we will stick with overriding the WebappInitializer at least for a while.
Do you think the possibility to disable the csrfPreventionFilter through a Spring property would be an option?
Cheers and thank you very much for investigating this!
Stefan
Hi @thedenische,
sure, it is pretty easy. I wrote my own WebappInitializer, extending the CamundaBpmWebappInitializer (actually, I needed to just copy the one from Camunda, as all its internal methods are private). Overriding the onStartup method, I just removed the statement mentioned by @nikola.koevski:
registerFilter("CsrfPreventionFilter", SpringBootCsrfPreventionFilter.class, properties.getWebapp().getCsrf().getInitParams(),"/api/*", "/app/*");
You also need a bean configuration to replace the CamundaBpmWebappInitializer bean:
@Configuration
@Import(CamundaBpmWebappAutoConfiguration.class)
public class MyOwnCamundaWebappConfiguration {
@Bean
@Primary
public CamundaBpmWebappInitializer camundaBpmWebappInitializer(CamundaBpmProperties properties) {
return new MyOwnCamundaWebappInitializer(properties);
}
}
That did the trick.
Cheers,
Stefan