Authorization check for rest-api when using Camunda Platform Runtime

Hi,

I am using Camunda Platform Runtime to test deployment of my business processes.

To prevent anyone from simply running the rest-api, I did the following:

camunda.bpm:
run:
auth.enabled: true

Then I created users and assigned them to groups with authorizations. However I figure out that users are only authenticated, but not checked for authorizations on which REST-API they can call.

Is there anyway to fix this? In addition, I do not see any web.xml I can use to configure the Camunda Platform Runtime.

Thanks.

Regards,
Kok Hoor

Which version of camunda you are using ?

7.16, Camunda Platform Runtime.

I am currently checking the build for tomcat and found this org.camunda.bpm.webapp.impl.security.filter.SecurityFilter and securityFilterRules.json in the camunda webapp to check for authorization.

However, in the engine-rest webapp, there is only a remarked ProcessEngineAuthenticationFilter with nothing on Authorization based on roughly checking the source code.

Does the engine-rest depends on the camunda web-app to serve the REST Api calls?

After switching to the tomcat bundle, and enabling the camunda-auth filter, my problem is resolved.

Thanks.

Hi @kokhoor,

you can easly switch on the authentication in Camunda Run as well.

It is enabled by default in the production.yml setup:

camunda.bpm:
  authorization.enabled: true

Hope this helps, Ingo

Great @Ingo_Richtsmeier thanks for your tip.
I rechecked my configuration, apparently I mistakenly put in camunda.bpm.run.authorization.enabled: true, the extra run caused the problem, thanks!

Hi @kokhoor,

glad to hear that I could help and more glad to read about potential failures.

Cheers, Ingo