##### application.properties ( for all profiles ):
info.app.name=@project.name@
info.app.description=@project.description@
info.app.version=@project.version@
info.app.encoding=@project.build.sourceEncoding@
info.app.java.version=@java.version@
server.port=58081
server.servlet.context-path=/camunda-ecl
allowedOrigins= LIST OF MY ORIGINS
#Apache Proxy
server.use-forward-headers=true
camunda.bpm.database.type=postgres
#issue using prefix: https://stackoverflow.com/questions/40989183/camunda-spring-boot-starter-create-database-in-schema-not-working
camunda.bpm.database.table-prefix=camunda.
#camunda.bpm.database.schema-update=drop-create # uncomment to create POSGRES DB in public folder
camunda.bpm.database.schema-name=camunda
camunda.bpm.history-level: audit
camunda.bpm.filter.create: All tasks
spring.application.name=camunda-ecl
spring.datasource.url: ${POSTGRES_CAMUNDA:jdbc:postgresql://postgres:5432/ecl_camunda}
spring.datasource.username: name
spring.datasource.password: password
spring.datasource.driver-class-name: org.postgresql.Driver
spring.datasource.platform: ${DATASOURCE_PLATFORM:postgres}
spring.jpa.hibernate.ddl-auto=none
#spring.jpa.hibernate.ddl-auto=create # it will create default h2 DB
#spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=create
# enable REST calls to Camunda via Postman
spring.jersey.application-path: /rest
#spring.profiles.active=basic,engine # without keycloak
spring.profiles.active=${SPRING_PROFILES_ACTIVE:engine,keycloakplugin}
debug=${DEBUG:false}
logging.config=classpath:logging.xml
##### application-keycloakplugin.properties ( for keycloak only ):
camunda.bpm.history-level=audit
camunda.bpm.authorization.enabled=true
camunda.bpm.filter.create=All tasks
keycloak.url.server=${KEYCLOAK_SERVER_URL:https://MY_URL}
keycloak.cors=true
keycloak.use-resource-role-mappings=true # turned on for using client roles instead realm roles / I also tested with realm roles but same error
spring.security.oauth2.client.registration.keycloak.provider=keycloak
spring.security.oauth2.client.registration.keycloak.client-id=camunda-ecl
spring.security.oauth2.client.registration.keycloak.client-secret=${KEYCLOAK_CAMUNDA_CLIENT_SECRET}
spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
# in the line under URL is hard coded as with default setting was created HTTP url and it caused MixedContent Error (HTTP and HTTPS mixed)
spring.security.oauth2.client.registration.keycloak.redirect-uri=https://MY_URL/{action}/oauth2/code/{registrationId}
spring.security.oauth2.client.registration.keycloak.scope=openid, profile, email
spring.security.oauth2.client.provider.keycloak.issuer-uri=${keycloak.url.server}/realms/my-realm
spring.security.oauth2.client.provider.keycloak.authorization-uri=${keycloak.url.server}/realms/my-realm/protocol/openid-connect/auth
spring.security.oauth2.client.provider.keycloak.user-info-uri=${keycloak.url.server}/realms/my-realm/protocol/openid-connect/userinfo
spring.security.oauth2.client.provider.keycloak.token-uri=${keycloak.url.server}/realms/my-realm/protocol/openid-connect/token
spring.security.oauth2.client.provider.keycloak.jwk-set-uri=${keycloak.url.server}/realms/my-realm/protocol/openid-connect/certs
spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_username
logging.level.org.springframework.security=DEBUG
plugin.identity.keycloak.keycloakIssuerUrl=${keycloak.url.server}/realms/my-realm
plugin.identity.keycloak.keycloakAdminUrl=${keycloak.url.server}/admin/realms/my-realm
plugin.identity.keycloak.clientId=camunda-ecl
plugin.identity.keycloak.clientSecret=${KEYCLOAK_CAMUNDA_CLIENT_SECRET}
plugin.identity.keycloak.useEmailAsCamundaUserId=false
plugin.identity.keycloak.useUsernameAsCamundaUserId=true
plugin.identity.keycloak.useGroupPathAsCamundaGroupId=true
plugin.identity.keycloak.administratorGroupName=camunda-admin
####### Apache httpd.config
...
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*[^/])$ /$1/ [L,R=301]
ServerName MY_SERVER
Redirect permanent / https://MY_URL
ServerName MY_SERVER
DocumentRoot /usr/local/apache2/htdocs
ServerAlias MY_ALIAS
ProxyRequests Off
ProxyPreserveHost On
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire on
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
# Used to fix CORS error ( Current error does not depend about this )
Header always set Access-Control-Allow-Origin "https://MY_URL"
Header always set Access-Control-Allow-Headers "Authorization, Content-Type"
Header always set Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS"
Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"
# Header edit Location ^http://(.*)$ https://$1 # used to fix MixedContent Error ( Current error does not depend about this )
...
ProxyPass /camunda-ecl/ http://camunda-ecl:58081/camunda-ecl/
ProxyPassReverse /camunda-ecl/ http://camunda-ecl:58081/camunda-ecl/
...
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
...
######## WebAppSecurityConfig - here I did some changes as there was CORS issue with REST
@ConditionalOnMissingClass("org.springframework.test.context.junit.jupiter.SpringExtension")
@Configuration
@Order(SecurityProperties.BASIC_AUTH_ORDER - 10)
@Profile("keycloakplugin")
public class WebAppSecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${spring.jersey.application-path:/rest}")
private String restPath;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringAntMatchers("/camunda/app/**","/camunda/api/**","/rest/**").and().requestMatchers().antMatchers("/**").and()
.authorizeRequests(authorizeRequests -> authorizeRequests
.antMatchers("/camunda/app/**", "/camunda/api/**", "/camunda/lib/**", "/rest/**")
.authenticated().anyRequest().permitAll())
.oauth2Login();
}
@SuppressWarnings({ "rawtypes", "unchecked" })
@Bean
public FilterRegistrationBean containerBasedAuthenticationFilter() {
FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
filterRegistration.setFilter(new ContainerBasedAuthenticationFilter());
filterRegistration.setInitParameters(Collections.singletonMap("authentication-provider",
"de.my_path.camunda.config.plugin.KeycloakAuthenticationProvider"));
filterRegistration.setOrder(101); // make sure the filter is registered after the Spring Security Filter Chain
filterRegistration.addUrlPatterns("/camunda/app/*");
return filterRegistration;
}
@Bean
@Order(0)
public RequestContextListener requestContextListener() {
return new RequestContextListener();
}