Hide Rest API not being used currently

Hello, We are trying to hide the REST APIs to the user which are not be used currently. For this we are using camunda concept of securityFilterRules.json. Below is my dummy definition:
“pathFilter”: {
“deniedPaths” : [
{ “path”: “/engine/{engine}/history/process-instance/.", “methods” : “GET” }
“allowedPaths” : [
{ “path”: "/engine/{engine}/deployment/.
”, “methods” : “*” , “authorizer” : “org.camunda.bpm.webapp.impl.security.filter.ApplicationRequestAuthorizer”}

Problem is, if I try to assess below URL I get a result.

But from what I understood, it should not be the case, as it is mentioned in denied paths, the operation should fail. Please suggest if I am doing anything wrong. Thanks.

Hi @vishalcool88,

The securityFilterRules.json file applies only to the REST endpoints that are embedded in the Camunda web application. engine-rest is separate from this. You can consider writing a custom servlet filter that implements similar functionality or build a custom REST API artifact that exposes only those resources that you need (see https://docs.camunda.org/manual/7.9/reference/rest/overview/embeddability/ for details).


1 Like