##### application.properties ( for all profiles ): info.app.name=@project.name@ info.app.description=@project.description@ info.app.version=@project.version@ info.app.encoding=@project.build.sourceEncoding@ info.app.java.version=@java.version@ server.port=58081 server.servlet.context-path=/camunda-ecl allowedOrigins= LIST OF MY ORIGINS #Apache Proxy server.use-forward-headers=true camunda.bpm.database.type=postgres #issue using prefix: https://stackoverflow.com/questions/40989183/camunda-spring-boot-starter-create-database-in-schema-not-working camunda.bpm.database.table-prefix=camunda. #camunda.bpm.database.schema-update=drop-create # uncomment to create POSGRES DB in public folder camunda.bpm.database.schema-name=camunda camunda.bpm.history-level: audit camunda.bpm.filter.create: All tasks spring.application.name=camunda-ecl spring.datasource.url: ${POSTGRES_CAMUNDA:jdbc:postgresql://postgres:5432/ecl_camunda} spring.datasource.username: name spring.datasource.password: password spring.datasource.driver-class-name: org.postgresql.Driver spring.datasource.platform: ${DATASOURCE_PLATFORM:postgres} spring.jpa.hibernate.ddl-auto=none #spring.jpa.hibernate.ddl-auto=create # it will create default h2 DB #spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=create # enable REST calls to Camunda via Postman spring.jersey.application-path: /rest #spring.profiles.active=basic,engine # without keycloak spring.profiles.active=${SPRING_PROFILES_ACTIVE:engine,keycloakplugin} debug=${DEBUG:false} logging.config=classpath:logging.xml ##### application-keycloakplugin.properties ( for keycloak only ): camunda.bpm.history-level=audit camunda.bpm.authorization.enabled=true camunda.bpm.filter.create=All tasks keycloak.url.server=${KEYCLOAK_SERVER_URL:https://MY_URL} keycloak.cors=true keycloak.use-resource-role-mappings=true # turned on for using client roles instead realm roles / I also tested with realm roles but same error spring.security.oauth2.client.registration.keycloak.provider=keycloak spring.security.oauth2.client.registration.keycloak.client-id=camunda-ecl spring.security.oauth2.client.registration.keycloak.client-secret=${KEYCLOAK_CAMUNDA_CLIENT_SECRET} spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code # in the line under URL is hard coded as with default setting was created HTTP url and it caused MixedContent Error (HTTP and HTTPS mixed) spring.security.oauth2.client.registration.keycloak.redirect-uri=https://MY_URL/{action}/oauth2/code/{registrationId} spring.security.oauth2.client.registration.keycloak.scope=openid, profile, email spring.security.oauth2.client.provider.keycloak.issuer-uri=${keycloak.url.server}/realms/my-realm spring.security.oauth2.client.provider.keycloak.authorization-uri=${keycloak.url.server}/realms/my-realm/protocol/openid-connect/auth spring.security.oauth2.client.provider.keycloak.user-info-uri=${keycloak.url.server}/realms/my-realm/protocol/openid-connect/userinfo spring.security.oauth2.client.provider.keycloak.token-uri=${keycloak.url.server}/realms/my-realm/protocol/openid-connect/token spring.security.oauth2.client.provider.keycloak.jwk-set-uri=${keycloak.url.server}/realms/my-realm/protocol/openid-connect/certs spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_username logging.level.org.springframework.security=DEBUG plugin.identity.keycloak.keycloakIssuerUrl=${keycloak.url.server}/realms/my-realm plugin.identity.keycloak.keycloakAdminUrl=${keycloak.url.server}/admin/realms/my-realm plugin.identity.keycloak.clientId=camunda-ecl plugin.identity.keycloak.clientSecret=${KEYCLOAK_CAMUNDA_CLIENT_SECRET} plugin.identity.keycloak.useEmailAsCamundaUserId=false plugin.identity.keycloak.useUsernameAsCamundaUserId=true plugin.identity.keycloak.useGroupPathAsCamundaGroupId=true plugin.identity.keycloak.administratorGroupName=camunda-admin ####### Apache httpd.config ... RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*[^/])$ /$1/ [L,R=301] ServerName MY_SERVER Redirect permanent / https://MY_URL ServerName MY_SERVER DocumentRoot /usr/local/apache2/htdocs ServerAlias MY_ALIAS ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerExpire on RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" # Used to fix CORS error ( Current error does not depend about this ) Header always set Access-Control-Allow-Origin "https://MY_URL" Header always set Access-Control-Allow-Headers "Authorization, Content-Type" Header always set Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS" Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location" # Header edit Location ^http://(.*)$ https://$1 # used to fix MixedContent Error ( Current error does not depend about this ) ... ProxyPass /camunda-ecl/ http://camunda-ecl:58081/camunda-ecl/ ProxyPassReverse /camunda-ecl/ http://camunda-ecl:58081/camunda-ecl/ ... SSLEngine on SSLCertificateFile /usr/local/apache2/conf/server.crt SSLCertificateKeyFile /usr/local/apache2/conf/server.key ... ######## WebAppSecurityConfig - here I did some changes as there was CORS issue with REST @ConditionalOnMissingClass("org.springframework.test.context.junit.jupiter.SpringExtension") @Configuration @Order(SecurityProperties.BASIC_AUTH_ORDER - 10) @Profile("keycloakplugin") public class WebAppSecurityConfig extends WebSecurityConfigurerAdapter { @Value("${spring.jersey.application-path:/rest}") private String restPath; @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .ignoringAntMatchers("/camunda/app/**","/camunda/api/**","/rest/**").and().requestMatchers().antMatchers("/**").and() .authorizeRequests(authorizeRequests -> authorizeRequests .antMatchers("/camunda/app/**", "/camunda/api/**", "/camunda/lib/**", "/rest/**") .authenticated().anyRequest().permitAll()) .oauth2Login(); } @SuppressWarnings({ "rawtypes", "unchecked" }) @Bean public FilterRegistrationBean containerBasedAuthenticationFilter() { FilterRegistrationBean filterRegistration = new FilterRegistrationBean(); filterRegistration.setFilter(new ContainerBasedAuthenticationFilter()); filterRegistration.setInitParameters(Collections.singletonMap("authentication-provider", "de.my_path.camunda.config.plugin.KeycloakAuthenticationProvider")); filterRegistration.setOrder(101); // make sure the filter is registered after the Spring Security Filter Chain filterRegistration.addUrlPatterns("/camunda/app/*"); return filterRegistration; } @Bean @Order(0) public RequestContextListener requestContextListener() { return new RequestContextListener(); }