Activating HTTPS on Camunda Spring-Boot

Hi everyone,

For our Camunda workflow service that coexists in a private cluster, we needed to activate HTTPS route over HTTP.

As we have a spring boot, I followed the following tutorial to activate HTTPS: How to enable HTTPS in a Spring Boot Java application.

JKS connection and redirecting from HTTP to HTTPS seem to work for webapps. However, when I land at the login page, the authentication fails.

Moreover every test rest call fails with a connection error (no response).
Camunda_rest_error

Other then creating ServerConfig and SecurityConfig configurations as proposed in the tutorial, I haven’t changed the existing code.

Any ideas out there? What am I missing?

Thank you in advance…
Tunch

1 Like

Sorry to disturb again but I cannot imagine that I am the only one who needed HTTPS on Spring-Boot for Camunda. Do you see any problems with the following referenced Security and Server configurations?

@Configuration
public class ServerConfig {

    @Bean
    public ServletWebServerFactory servletContainer() {
        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                SecurityConstraint securityConstraint = new SecurityConstraint();
                securityConstraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection collection = new SecurityCollection();
                collection.addPattern("/*");
                securityConstraint.addCollection(collection);
                context.addConstraint(securityConstraint);
            }
        };
        tomcat.addAdditionalTomcatConnectors(getHttpConnector());
        return tomcat;
    }

    private Connector getHttpConnector() {
        Connector connector = new Connector(TomcatServletWebServerFactory.DEFAULT_PROTOCOL);
        connector.setScheme("http");
        connector.setPort(8080);
        connector.setSecure(false);
        connector.setRedirectPort(8443);
        return connector;
    }
}
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .requiresChannel()
            .anyRequest()
            .requiresSecure();
    }
}

Our setup is the following (from POM):

    <camunda.version>7.11.0-ee</camunda.version>
    <camunda.spring.boot.starter.version>3.3.2</camunda.spring.boot.starter.version>
    <spring.boot.version>2.2.0.RELEASE</spring.boot.version>

As said, login page of webapps can be reached over HTTPS but any login attempt returns the error code 403 (Forbidden).

Moreover rest api does not seem to be available. Do I make a mistake in redirecting HTTP to HTTPS or problem might be somewhere else? Do we maybe need extra configurations for Camunda apart from the Spring configs?

Thanks in advance.

1 Like

After 2 days of continuous searching and testing, I found “a” solution to this problem.

Apparently, Camunda Spring Boot starter already configures WebSecurityConfigurerAdapter and a parallel configuration via the SecurityConfig does not fit here. The inconsistency might have arised also due to the fact hat we already enabled Camunda authorizations extending SpringBootProcessEnginePlugin as follows:

    @Override
    public void preInit(SpringProcessEngineConfiguration processEngineConfiguration) {
      super.preInit(processEngineConfiguration);
      // Authorization rules
      if (!processEngineConfiguration.isAuthorizationEnabled()) {
        processEngineConfiguration.setAuthorizationEnabled(true);
      }
    }

At the end, keeping only previously given ServerConfig and removing the new SecurityConfig class from the sources and the related dependency entry:

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-test</artifactId>
			<scope>test</scope>
		</dependency>

from the pom.xml solved our problem.

Now we can see that HTTPS EPs are available and HTTP traffic is routed to HTTPS. In our cluster we already deactivated HTTP traffic, and everything works as before, including authentication/authorization schemes and prod/test Rest APIs .

I hope these findings can help someone.

4 Likes

Thanks for letting us know about how you progressed with this!

2 Likes

Hi @tunch I followed exactly what you have mentioned. However, I am getting below error .

Hi @pradeep.poojari, can you post your POM? We received the same error when SecurityConfig class was still available in POM and was referenced in the code.

Hi @tunch Thanks for this post. I was able to login without spring dependency added in POM.

But In our case, we will use spring security to do SSO to login to camunda in https mode. Any idea in that case how to run Camunda in HTTPS mode?

Hi @pradeep.poojari, unfortunately I don’t have any first hand experience with SSO on Spring-Boot. Hence I can’t directly help.

However the following Camında SSO community extension: https://github.com/camunda/camunda-bpm-identity-keycloak

And the discussion thread on how to embed it to Camunda Spring-Boot distro might help…
Integration of camunda with keycloak SSO

Have a good Sunday
Tunç

1 Like

Hello @tunch,

we also need HTTPS, but there are still some problems…

I have already gone through the tutorial, deleted the SecurityConfig again and only left the following in the POM:

    <dependency>
      <groupId>org.camunda.connect</groupId>
      <artifactId>camunda-connect-http-client</artifactId>
    </dependency>

(Only the preInit I left out. You generally don’t need it, do you? If so where?)

But I don’t even see the login page… (not reachable)
If I connect to localhost:8080, it reconnect me to https://localhost/camunda/app/welcome/default/#!/login
With localhost:8081 to https://localhost:8443/camunda/app/welcome/default/#!/login

Have you or anyone else had similar problems?


By the way, I had to change the connector.setPort to port 8081, otherwise the following happened:

***************************
APPLICATION FAILED TO START
***************************
Description:
Web server failed to start. Port 8080 was already in use.
Action:
Identify and stop the process that's listening on port 8080 or configure this application to listen on another port.
Process finished with exit code 1

therefore:
2022-05-12 10:46:22.008 INFO 6468 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8080 (http) 8081 (http)