Hi all,
I’m working on a problem with our authentication/authorisation mechanism. Here is a sketch of what components are involved and how they are connected.
Components:
-
Camunda Web Application: Camunda BPM 7.9.0 Community Edition, which we have extended with some plugins in the Tasklist application. These plugins will perform REST calls to our external REST API in order to retrieve the required data.
-
Custom Identity Service: Custom implementation of the ReadOnlyIdentityProvider -Interface. We were not able to reuse the LDAP Identity Service Plugin provided by Camunda, because the role-based permissions are not obtained from the LDAP Server.
-
Process Engine (default): Contains all the BPMNs, the HTML forms for the user tasks and the Java Delegate classes for the service tasks. Every Java Delegate class performs at least one REST call to our external REST API via a javax.ws.rs.client.Client.
-
CORS and Security Filter:
- The CORS Filter will allow requests from any Origin , because our external REST API is published.
- The Security Filter checks if the user’s session ID (obtained from the Login) is authorized to access the requested REST service.
-
REST API: Contains all the REST services. One of the services is using Apache Shiro in order to authenticate users against the LDAP Server and returning a session ID in case the authentication request was successful.
The current steps to authenticate a user:
-
The user provides his credentials on the login page (camunda-commons-ui-7.9.0/lib/auth/page/login.html)
-
After the user has clicked on “ Sign in” the controller’s login method gets invoked (camunda-commons-ui-7.9.0/lib/auth/page/login.js)
-
This method will forward the credentials to the AuthenticationsService’s login method (camunda-commons-ui-7.9.0/lib/auth/service/authenticationService.js)
-
The AuthenticationService sends two requests:
- First request was added by us in order to login the user in the back-end via the REST service mentioned in the Components section. The retrieved session ID is stored as a cookie and used to call REST services from our custom plugins.
- Second request is the already existing one which passes the credentials through the Camunda REST API to our Custom Identity Service’s checkPassword method. From this method the same REST service is called and the returned session ID is stored in the Camunda DB with the command identityService.setUserInfo. We use this session ID to call REST services from our Java Delegate classes.
The current problem:
Every time we refresh the Tasklist we can see in the logs that the Identity Service’s findGroupByQueryCritieria method is executed. This will send a request to our REST API (using the session ID stored in the Camunda DB) to retrieve the groups of the current logged in user.
After an indefinite time, an error message appears indicating first that an exception was thrown in the above method: InvalidRequestException: User with id <<user_id>> does not exist , but secondly, also indicating that the response status from our REST call inside this method is 401 (Unauthorized).
A visual result of this exception is that in the Welcome page, the profile no longer displays the general information (firstname, lastname, email, groups) just the user id. A closer look at the network tab in the developer tools (from the web browser) shows a 401 on the profile request.
Does someone know what we did wrong or if there is another approach to fix the problem?
We have some small investigations that were done, but for now I am not publishing them in order to get other ideas from the people.
Best regards,
Marvin