It is not clear from the documentation how to configure Basic Authentication for REST API with Camunda Standalone (7.6 alpha 3). Providing Authorization Basic header from the client produces 401 This request requires HTTP authentication.
What preferences should be set for Camunda Standalone to get embedded REST API with Basic Authorization?
Hi @kuz,
you have to add authentication filter to your web.xml as described here https://docs.camunda.org/manual/7.5/reference/rest/overview/authentication/. Or you can change securityFilterRules.json to allow access to the endpoints that you need.
If you choose the way of adding a filter, please note that you have to configure users in your database first and standalone archive is using embedded H2 database.
Hope that helps,
Askar
Dear @kuz,
after taking a closer look, I figured out that standalone webapp is using embedded engine with embedded REST API which is secured through cookies. That means, you will not be able to perform basic authentication against this type of distribution. What exactly are you trying to achieve? In general we recommend to use prepackaged distro, which contains REST api that can be secured with basic authentication.
Cheers,
Askar.
Hi @aakhmerov,
I am trying to provide Camunda BPM Engine as a new supporting part of existing productive application. There are several requirements:
I am trying to find some “no-code, configure-only” solution, Tomcat standalone nearly fits requirements, but the external REST API is absent.
I guess forward-filter in front of /api/engine could be restricted with basic-auth. That filter could then do login stuff for internal web application.
@kuz,
would it be an option for you to configure shared engine? https://docs.camunda.org/manual/7.5/user-guide/runtime-container-integration/
you would have to deploy 2 .war files, one for engine itself and one for REST api and configure tomcat to provide datasource, ProcessEngineService, and ProcessApplicationService as jndi resources by adjusting your server.xml
here are relevant guides:
https://docs.camunda.org/manual/7.5/installation/full/tomcat/manual/
https://docs.camunda.org/manual/7.5/user-guide/process-engine/process-engine-bootstrapping/#shared-container-managed-process-engine
Cheers,
Askar
@aakhmerov, thanks for advice, I will try this way!
Few more questions:
@Kuz, in the shared engine setup,
org.camunda.bpm.ProcessEngineService that will be exposed as jmx bean through the container configuration and therefore use same resources.META-INF\context.xml located in your .war files, for more information please refer to tomcat guide[1][1] https://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Resource_Definitions
Cheers,
Askar
@aakhmerov Unfortunately, shared server is not an option. Production tomcat 8.5.4 server do allow only *.war deploying for external providers, we do not have any access to global libraries and JNDI. As I can see, there is no way to share Embedded Process Engine from standalone war to external REST API war.
I am trying to rewrite standalone web.xml, may be some filter magic will help to serve REST interface for webapps with JSession cookie authorithation and Basic authenticated for external application.
And its done! I got single *.war with Embedded Process Engine, webapps and basic secured external rest-api!
My maven project has runtime dependency to camunda-webapp-tomcat-standalone.
applicationContext.xml is overwritten with custom process engine options.
web.xml is extended with new Forward Filter/rest/* ->/api/engine/*. Authentication is included with regular API for /rest/*. It would be nice to add such a filter for standalone as default.
Glory to Camunda API! Thanks for advices!
this seems to be what I am looking for as well … could you post your web.xml and applicationContext.xml? I am not quite sure I got the necessary changes …
Yeap! After adoptation period I will try to provide github source.
There is unwanted side effect, links attributes in REST Responses will provide wrong URL-start for external REST API or Webapp. In my case it’s not sufficient.
web.xml, applicationContext.xml, must be placed in /src/main/webapp/WEB-INF to override camunda-webapp-tomcat-standalone files. More desired way is merging with XSLT or stuff like that.
applicationContext.xml is exactly like camunda-webapp-tomcat-standalone one, but provide your DB connect.
web.xml has additional part like this:
<filter>
<filter-name>External auth</filter-name>
<filter-class>org.camunda.bpm.engine.rest.security.auth.ProcessEngineAuthenticationFilter</filter-class>
<init-param>
<param-name>authentication-provider</param-name>
<param-value>org.camunda.bpm.engine.rest.security.auth.impl.HttpBasicAuthenticationProvider</param-value>
</init-param>
<init-param>
<param-name>rest-url-pattern-prefix</param-name>
<param-value>/rest</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>External auth</filter-name>
<url-pattern>/rest/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>Embedded forwarder</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Embedded forwarder</filter-name>
<url-pattern>/rest/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
External auth filter is default HttpBasicAuthenticationProvider, Embedded forwarder does forward to /api/engine with UrlRewriteFilter. My urlrewrite.xml is placed in /src/main/webapp/WEB-INF:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 4.0//EN"
"http://www.tuckey.org/res/dtds/urlrewrite4.0.dtd">
<urlrewrite>
<rule>
<note>External REST API</note>
<from>^\/rest(.*)$</from>
<to>/api/engine$1</to>
</rule>
</urlrewrite>Hi Kuz,
if you deliver the links an separate elements (and not in strings) you could extend this filter to modify the responses in URLs.
Cheers,
Simon