How to write a filter chain and set authentication?

I have a project with some existing (not really working code) and two filters processEngineAuthenticationFilter and containerBasedAuthenticationFilter.

But I am not really understanding how to configure these filters.

Here as an example the processEngineAuthenticationFilter()

    public FilterRegistrationBean<Filter> processEngineAuthenticationFilter() {
        FilterRegistrationBean<Filter> registration = new FilterRegistrationBean<>();
// following line needed?
// registration.addUrlPatterns("/engine-rest/*");
        return registration;

I had to disable this in processess.xml under process-engine authorizationEnabled false.

There were some issues that there was no user found in the class customAuthenticationProviderClass that got set in the filter with


here is the some part of the class

    public AuthenticationResult extractAuthenticatedUser(HttpServletRequest request, ProcessEngine engine) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            return AuthenticationResult.unsuccessful();

        User user = ((User) authentication.getPrincipal());
        String id = user.getId();
        List<String> groups = ((User) authentication.getPrincipal()).getGroups();
        if (id == null || id.isEmpty()) {
            return AuthenticationResult.unsuccessful();
        AuthenticationResult authenticationResult = new AuthenticationResult(id, true);
        createUser(user, engine);
        createGroups(groups, engine);
        checkGroupMemberShip(user, groups, engine);
        return authenticationResult;

So actually my initial question is very basic. Where is this user set? This filter seems to handle authentication for requests to the rest api under the engine-rest endpoint. If I have worker nodes which are trying do stuff like fetch and lock would they need to provide a user? Where can I store theses users on the process engine side? Because at the moment I just get errors because of something with the User object. Can you tell me what is SecurityContextHolder? Also I am interested if I need to write addUrl(/engine-rest/*) in the filterchain or if that will get done automatically?

Also there is a configure method. Is that a Spring filterchain? Can I configure the other filterchains with it? How can I distinguish the settings of the two filterchains in this configure filterchain.

In the end I would need to decide if I need an authentication method for accessing the rest-engine and what authentication method should be selected. Accessing the web and app endpoints should be implemented with saml. But about the rest engine I am not so sure if that sensible and if it would work. What do you suggest?

Very basic questions, but I am new to this.