Camunda Web App POST request 403

when i post /api/engine/engine/default/process-instance/count then
reponse
{
“timestamp”: 1729762770262,
“status”: 403,
“error”: “Forbidden”,
“path”: “/workflow_admin/api/engine/engine/default/process-instance/count”
}

This a GET-request, not a POST.

1 Like

thank u for ur reply,and i will add details for the problem
i found since I use the spring security, all the post request return 403
for example the original request:

curl 'http://localhost:8082/workflow_admin/api/engine/engine/default/process-instance/count' \
  -H 'Accept: application/json, text/plain, */*' \
  -H 'Accept-Language: zh-CN,zh;q=0.9' \
  -H 'Cache-Control: no-cache' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/json;charset=UTF-8' \
  -H 'Cookie: casdoor-token=xxxx; XSRF-TOKEN=642627298E15C0F6332A1E5D858F6E40; JSESSIONID=5B34AE6E03ED09DCE9E2C51F6A03935E' \
  -H 'Origin: http://localhost:8082' \
  -H 'Pragma: no-cache' \
  -H 'Referer: http://localhost:8082/workflow_admin/app/cockpit/default/' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36' \
  -H 'X-XSRF-TOKEN: 642627298E15C0F6332A1E5D858F6E40' \
  -H 'sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  --data-raw '{"processDefinitionId":"6e9c60d7-9045-11ef-afb5-2ebbe41b42f7"}'

and the original request return normally:

{"count":2}

my HttpSecurity config:

@Bean
    public SecurityFilterChain configure(HttpSecurity http) throws Exception {
        http
                .csrf(AbstractHttpConfigurer::disable)
                .authorizeRequests()
                .anyRequest().permitAll()
                .and()
                .formLogin()
                .loginPage(UrlPathConst.CAS_LOGIN_CALLBACK)
                .defaultSuccessUrl(UrlPathConst.LOGIN_CALL_BACK)
                .permitAll()
                .and()
                .logout()
                .logoutRequestMatcher(req -> req.getRequestURI().endsWith("/logout"))
                .invalidateHttpSession(true)
                .deleteCookies("JSESSIONID", "XSRF-TOKEN", "casdoor-token")
                .logoutSuccessHandler(logoutSuccessHandler)
                .permitAll()
        ;
        http.addFilterBefore(redirectFilter, UsernamePasswordAuthenticationFilter.class);
        return http.build();
    }

and when i post /api/engine/engine/default/process-instance/count
it reponse:

{
    "timestamp": 1729822773327,
    "status": 403,
    "error": "Forbidden",
    "path": "/workflow_admin/api/engine/engine/default/process-instance/count"
}

and the Backend log:

o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@20fa5277, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@17a7d6c8, org.springframework.security.web.context.SecurityContextPersistenceFilter@2052f095, org.springframework.security.web.header.HeaderWriterFilter@6ab1f85b, org.springframework.security.web.authentication.logout.LogoutFilter@519b0f00, com.tigerbrokers.ams.workflow.admin.cas.RedirectFilter@365afe87, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@79135a38, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@55fe9c2f, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@2e19b30, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4f2b1e9f, org.springframework.security.web.session.SessionManagementFilter@5d8fd077, org.springframework.security.web.access.ExceptionTranslationFilter@66682e8f, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@572b4072]] (1/1)
o.s.security.web.FilterChainProxy        : Securing POST /workflow_admin/api/engine/engine/default/process-instance/count
o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/13)
o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/13)
o.s.security.web.FilterChainProxy        : Invoking SecurityContextPersistenceFilter (3/13)
w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
w.c.HttpSessionSecurityContextRepository : Created SecurityContextImpl [Null authentication]
s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/13)
o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (5/13)
o.s.s.w.a.logout.LogoutFilter            : Did not match request to com.tigerbrokers.ams.workflow.admin.cas.CustomSecurityConfig$$Lambda$859/2049210129@31dbf5bb
o.s.security.web.FilterChainProxy        : Invoking RedirectFilter (6/13)
o.s.security.web.FilterChainProxy        : Invoking UsernamePasswordAuthenticationFilter (7/13)
w.a.UsernamePasswordAuthenticationFilter : Did not match request to Ant [pattern='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback', POST]
o.s.security.web.FilterChainProxy        : Invoking RequestCacheAwareFilter (8/13)
o.s.s.w.s.HttpSessionRequestCache        : No saved request
o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderAwareRequestFilter (9/13)
o.s.security.web.FilterChainProxy        : Invoking AnonymousAuthenticationFilter (10/13)
o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=A3B2559378966CF5AF7C85326DD74F39], Granted Authorities=[ROLE_ANONYMOUS]]
o.s.security.web.FilterChainProxy        : Invoking SessionManagementFilter (11/13)
o.s.s.w.session.SessionManagementFilter  : Request requested invalid session id 5D9C0B5AE0868DD734E8909D3D3ECF7F
o.s.security.web.FilterChainProxy        : Invoking ExceptionTranslationFilter (12/13)
o.s.security.web.FilterChainProxy        : Invoking FilterSecurityInterceptor (13/13)
edFilterInvocationSecurityMetadataSource : Did not match request to ExactUrl [processUrl='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback?error'] - [permitAll] (1/5)
edFilterInvocationSecurityMetadataSource : Did not match request to ExactUrl [processUrl='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback'] - [permitAll] (2/5)
edFilterInvocationSecurityMetadataSource : Did not match request to ExactUrl [processUrl='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback'] - [permitAll] (3/5)
edFilterInvocationSecurityMetadataSource : Did not match request to com.tigerbrokers.ams.workflow.admin.cas.CustomSecurityConfig$$Lambda$859/2049210129@31dbf5bb - [permitAll] (4/5)
o.s.s.w.a.i.FilterSecurityInterceptor    : Did not re-authenticate AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=A3B2559378966CF5AF7C85326DD74F39], Granted Authorities=[ROLE_ANONYMOUS]] before authorizing
o.s.s.w.a.i.FilterSecurityInterceptor    : Authorizing filter invocation [POST /workflow_admin/api/engine/engine/default/process-instance/count] with attributes [permitAll]
o.s.s.w.a.i.FilterSecurityInterceptor    : Authorized filter invocation [POST /workflow_admin/api/engine/engine/default/process-instance/count] with attributes [permitAll]
o.s.s.w.a.i.FilterSecurityInterceptor    : Did not switch RunAs authentication since RunAsManager returned null
o.s.security.web.FilterChainProxy        : Secured POST /workflow_admin/api/engine/engine/default/process-instance/count
o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]
w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@20fa5277, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@17a7d6c8, org.springframework.security.web.context.SecurityContextPersistenceFilter@2052f095, org.springframework.security.web.header.HeaderWriterFilter@6ab1f85b, org.springframework.security.web.authentication.logout.LogoutFilter@519b0f00, com.tigerbrokers.ams.workflow.admin.cas.RedirectFilter@365afe87, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@79135a38, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@55fe9c2f, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@2e19b30, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4f2b1e9f, org.springframework.security.web.session.SessionManagementFilter@5d8fd077, org.springframework.security.web.access.ExceptionTranslationFilter@66682e8f, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@572b4072]] (1/1)
o.s.security.web.FilterChainProxy        : Securing POST /error
o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/13)
o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/13)
o.s.security.web.FilterChainProxy        : Invoking SecurityContextPersistenceFilter (3/13)
w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
w.c.HttpSessionSecurityContextRepository : Created SecurityContextImpl [Null authentication]
s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/13)
o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (5/13)
o.s.s.w.a.logout.LogoutFilter            : Did not match request to com.tigerbrokers.ams.workflow.admin.cas.CustomSecurityConfig$$Lambda$859/2049210129@31dbf5bb
o.s.security.web.FilterChainProxy        : Invoking RedirectFilter (6/13)
o.s.security.web.FilterChainProxy        : Invoking UsernamePasswordAuthenticationFilter (7/13)
w.a.UsernamePasswordAuthenticationFilter : Did not match request to Ant [pattern='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback', POST]
o.s.security.web.FilterChainProxy        : Invoking RequestCacheAwareFilter (8/13)
o.s.s.w.s.HttpSessionRequestCache        : No saved request
o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderAwareRequestFilter (9/13)
o.s.security.web.FilterChainProxy        : Invoking AnonymousAuthenticationFilter (10/13)
o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
o.s.security.web.FilterChainProxy        : Invoking SessionManagementFilter (11/13)
o.s.security.web.FilterChainProxy        : Invoking ExceptionTranslationFilter (12/13)
o.s.security.web.FilterChainProxy        : Invoking FilterSecurityInterceptor (13/13)
o.s.security.web.FilterChainProxy        : Secured POST /error
edFilterInvocationSecurityMetadataSource : Did not match request to ExactUrl [processUrl='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback?error'] - [permitAll] (1/5)
edFilterInvocationSecurityMetadataSource : Did not match request to ExactUrl [processUrl='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback'] - [permitAll] (2/5)
edFilterInvocationSecurityMetadataSource : Did not match request to ExactUrl [processUrl='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback'] - [permitAll] (3/5)
edFilterInvocationSecurityMetadataSource : Did not match request to com.tigerbrokers.ams.workflow.admin.cas.CustomSecurityConfig$$Lambda$859/2049210129@31dbf5bb - [permitAll] (4/5)
c.t.a.w.a.filter.RequestInterceptors     : >>>>>>>Method POST,url /error , request param{}
w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
c.t.a.w.a.filter.RequestInterceptors     : <<<<<<<Method POST,url http://localhost:8081/error
w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request