Sorry to disturb again but I cannot imagine that I am the only one who needed HTTPS on Spring-Boot for Camunda. Do you see any problems with the following referenced Security and Server configurations?
@Configuration
public class ServerConfig {
@Bean
public ServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
@Override
protected void postProcessContext(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
tomcat.addAdditionalTomcatConnectors(getHttpConnector());
return tomcat;
}
private Connector getHttpConnector() {
Connector connector = new Connector(TomcatServletWebServerFactory.DEFAULT_PROTOCOL);
connector.setScheme("http");
connector.setPort(8080);
connector.setSecure(false);
connector.setRedirectPort(8443);
return connector;
}
}
As said, login page of webapps can be reached over HTTPS but any login attempt returns the error code 403 (Forbidden).
Moreover rest api does not seem to be available. Do I make a mistake in redirecting HTTP to HTTPS or problem might be somewhere else? Do we maybe need extra configurations for Camunda apart from the Spring configs?
After 2 days of continuous searching and testing, I found “a” solution to this problem.
Apparently, Camunda Spring Boot starter already configures WebSecurityConfigurerAdapter and a parallel configuration via the SecurityConfig does not fit here. The inconsistency might have arised also due to the fact hat we already enabled Camunda authorizations extending SpringBootProcessEnginePlugin as follows:
@Override
public void preInit(SpringProcessEngineConfiguration processEngineConfiguration) {
super.preInit(processEngineConfiguration);
// Authorization rules
if (!processEngineConfiguration.isAuthorizationEnabled()) {
processEngineConfiguration.setAuthorizationEnabled(true);
}
}
At the end, keeping only previously given ServerConfig and removing the new SecurityConfig class from the sources and the related dependency entry:
Now we can see that HTTPS EPs are available and HTTP traffic is routed to HTTPS. In our cluster we already deactivated HTTP traffic, and everything works as before, including authentication/authorization schemes and prod/test Rest APIs .
Hi @pradeep.poojari, can you post your POM? We received the same error when SecurityConfig class was still available in POM and was referenced in the code.