Camunda spring boot authorization - feature or bug?

Hi, I have been playing with authorization in camunda spring boot application with rest services and I have found out, that if I run claimTask operation with user, that has not enough rights to update task, the execution still passes without the problem.
I identified the cause of this.
In process engine configuration, there is method initCommandCheckers like this:

  protected void initCommandCheckers() {
    if (commandCheckers == null) {
      commandCheckers = new ArrayList<CommandChecker>();

      // add the default command checkers
      commandCheckers.add(new TenantCommandChecker());
      commandCheckers.add(new AuthorizationCommandChecker());

However, SpringBootProcessEnginePlugin sets the commandCheckers collection to empty arraylist by calling CamundaSpringBootUtil.init(…) method

public static SpringProcessEngineConfiguration init(SpringProcessEngineConfiguration configuration) {
if(configuration.getProcessEnginePlugins() == null) {
configuration.setProcessEnginePlugins(new ArrayList());

if(configuration.getBatchHandlers() == null) {
    configuration.setBatchHandlers(new HashMap());

if(configuration.getBeans() == null) {
    configuration.setBeans(new HashMap());

if(configuration.getCommandCheckers() == null) {
    configuration.setCommandCheckers(new ArrayList());

if(configuration.getCustomPostBPMNParseListeners() == null) {
    configuration.setCustomPostBPMNParseListeners(new ArrayList());

return configuration;


which results, that initCommandCheckers never adds the command checkers(including AuthorizationCommandCheccker) to the process engine.

I was able to get the authorization working correctly by manually adding the command checkers to the process engine configuration in custom process engine configuration.

public class OmnichannelProcessEngineConfiguration extends AbstractCamundaConfiguration {

    public void preInit(SpringProcessEngineConfiguration processEngineConfiguration) {
//        processEngineConfiguration.setDefaultSerializationFormat("application/json");
        processEngineConfiguration.setIdGenerator(new StrongUuidGenerator());
        processEngineConfiguration.getCommandCheckers().add(new TenantCommandChecker());
        processEngineConfiguration.getCommandCheckers().add(new AuthorizationCommandChecker());


    private List<TypedValueSerializer> customPostVariableSerializers() {
        List<TypedValueSerializer> customPostVariableSerializers = new ArrayList<>();
        customPostVariableSerializers.add(new BigDecimalValueSerializer());
        return customPostVariableSerializers;

    private List<AbstractFormFieldType> customFormTypes() {
        List<AbstractFormFieldType> customFormTypes = new ArrayList<>();
        customFormTypes.add(new BigDecimalFormType());
        return customFormTypes;

I’d like to ask, if such custom defining of command checkers is design feature or it is a bug. If it is a feature, is defining the command checkers in custom camunda engine configuration the correct way to do it?

Hi @tomorrow,

on the Camunda engine side, it’s possible to configure the command checkers. So you can add a custom checker or modify the existing once.

There is an issue in the Spring Boot extension to fix the behavior.

Best regards,

1 Like

I am working on a fix (status check for fields which must not be customized in preInit) right now.

1 Like