Idempotent Authorization configuration?


I have a SpringBoot app with embedded Camunda. The app is deployed in a Container, so I want it to initialize itself as needed.

On thing I can’t configure are Authorizations (apart from the “administrator-group-name”).

I found in the docs how to apply Camunda authorizations with Java config on startup.

However, when I restart my app I get duplicate key constraint violation errors because the save method of authorizationService is not idempotent. It blindly tries to insert the same authorizations again.

What is the best way to handle this?

Most simple approach: Delete all Authorizations, so they are re-applied every time (kind of like every start is the first start). This seems to work according to a first test. The special authorizations that result from “administrator-group-name” seem to be applied later and are therefore applied again when I delete all Authorizations. Is this really save or are there any pitfalls I don’t see yet?

Overall: It would be very nice to have a possibility to configure custom authorizations that are applied independent of the current auth configuration. Similar to configure the spring datasource or the “administrator-group-name” for Camunda.


If the method is not idempotent then you have to check whether the permission already exists before creating it.

As to the idea of a custom auth service: I also play with the idea of creating a AuthService implementation which is based solely on some config files. Actually, this should be an easy task.

Thanks for your answer.

The problem with checking for an existing Auth before creating it, is that it only works for already existing and new Auths.

If I had applied 3 Auths on the last start and now I want to remove one of them, it is not sufficient to remove the Auth from the Java config. I have to explicitly remove it with AuthService… and perhaps I even need to check for an existing Auth before removing it (don’t know if removal of a non-existing Auth throws an Exception or not) :slight_smile:

But as soon as I add Auths to remove, the Java configuration is no more declarative. It is not the config I want to have after every start (no matter what was before). It is a mix of what I want to have and what should be changed to the current config (that is only relevant for 1 restart).

Because of this, the approach with the “hammer” (delete all Auths and then re-apply the current Java config), is the much cleaner way for me.

1 Like