We noticed that on every request via REST API, LDAP plugin is trying to authenticate.
It doesn`t matter if it is for getting tasks, getting filters, etc…
it is easy to see in the stack-trace when there is no connection to the server:
There is a property authorizationCheckEnabled which should (in my opinion) prevent exactly this situation, but it doesn’t work this way. Maybe it is a bug with it.
Any thoughts,Ideas and comments would be most appreciated.
Hope you are well. Thanks for sharing the link. We also face similar issue with poor LDAP authentication performance as it takes 2-3 seconds per LDAP request. Is there a chance with this filter to enable a configuration to authorise only non-local requests to Camunda REST API and bypass requests from the local host?
So we want any process on the same host with camunda rest engine to be eligible to make calls without authenticating against LDAP.
But my problem is a bit in the direction that when we do something like GET /filter/count
we should`t call the LDAP server.
In my opinion, LDAP should be called only when user login (to check it`s password) and when the application starts and Camunda is loading and mapping groups and permissions. At least that is my experience with other Enterprise Systems.
the security layer of the engine is designed in a way to check each request against the authorizations. Otherwise it would be possible with a known REST-endpoint to delete process instances or do something even worse. Have a look into the Authorization chapter of the docs for further backgound: https://docs.camunda.org/manual/7.9/user-guide/process-engine/authorization-service/
But with a changed implementation in the doFilter()-method it should be possible to fullfil your request. (See my response to Ilya)