I am using Camunda Platform Runtime to test deployment of my business processes.
To prevent anyone from simply running the rest-api, I did the following:
camunda.bpm:
run:
auth.enabled: true
Then I created users and assigned them to groups with authorizations. However I figure out that users are only authenticated, but not checked for authorizations on which REST-API they can call.
Is there anyway to fix this? In addition, I do not see any web.xml I can use to configure the Camunda Platform Runtime.
I am currently checking the build for tomcat and found this org.camunda.bpm.webapp.impl.security.filter.SecurityFilter and securityFilterRules.json in the camunda webapp to check for authorization.
However, in the engine-rest webapp, there is only a remarked ProcessEngineAuthenticationFilter with nothing on Authorization based on roughly checking the source code.
Does the engine-rest depends on the camunda web-app to serve the REST Api calls?
Great @Ingo_Richtsmeier thanks for your tip.
I rechecked my configuration, apparently I mistakenly put in camunda.bpm.run.authorization.enabled: true, the extra run caused the problem, thanks!