Getting 401 Unauthorized with REST API despite camunda-auth filter

I’m new to Camunda. Using camunda-bpm-wildfly10-7.5.0 with the demos and demo users that came along with it.

I try to make a REST API call with the demo / demo user, who is camunda-admin as well.

curl --user demo:demo http://localhost:8080/camunda/api/engine/engine/default/filter/366e784e-21fa-11e8-b724-00e04c62631c/list?firstResult=0&maxResults=15

gives me:


Also tried via Postman, also getting a 401 there.

I have read Configure Authentication | and I have removed the comment tags so that the camunda-auth filter is enabled. I edited it directly in the /camunda-bpm-wildfly10-7.5.0/server/wildfly-10.0.0.Final/standalone/deployments/camunda-engine-rest-7.5.0.war file.

Of course I also restarted the server. But I am still getting the 401 Unauthorized error.

The same API call works fine when I go via browser to the Camunda cockpit, logged in as demo/demo: I can see in my browser developer tools / network tab, that the very same API call is also being made from the cockpit successfully there.

In a new tab, but with existing browser session, it’s also showing me the expected result:

Just when I try to make the API call independently without being logged in / an existing session but just via Basic Auth, it fails with 401. Why? For some reason it seems that the camunda-auth filter is not really active, but I don’t see why. Unfortunately I never really used Wildfly before but usually only Tomcat, but for certain reasons, I need to use Wildfly in my case here.

The web.xml looks as follows:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns=""

  <display-name>camunda bpm rest api</display-name>
  <!-- Http Basic Authentication Filter -->



Be aware that there are in effect two restful APIs. One is the set of APIs used by the apps such as Tasklist and Cockpit. The other is the public rest API.

The public REST API can be accessed along these lines;

The default process engine is available out of the box by accessing /engine-rest/engine/default/{rest-methods} or simply /engine-rest/{rest-methods}. Any other shared (i.e., it is globally visible) process engine that is created later is available through /engine-rest/engine/{name}/{rest-methods} without any further configuration.

Hence you are trying the application’s ‘private’ APIs and the auth filter documentation is referring to the public APIs.

I suggest using the public REST APIs without authentication to get started, then add authentication…



1 Like

Thanks, it’s working via http://localhost:8080/engine-rest/engine/default/filter/366e784e-21fa-11e8-b724-00e04c62631c/list?firstResult=0&maxResults=15 now.

I tried the /engine-rest/ path yesterday as well, but it didn’t work. I think I had some typo or used a wrong URL pattern. Anyway, thanks for the quick help.

I seemed to have the same problem as mathiasconradt. Using the webapps everything works.

However, my problem is that the public api seems to be unavailable.

Postman gives the following output:

When I create a user with the Administration webapp everything works fine. Any suggestions?