REST API issue after okta sso

Camunda Version 7.17.0
I am implementing OKTA based SAML sso for webapps in spring boot project and it is working fine. My intention is to leave REST APIs unprotected as I will use something like apigee to protect them.
However I am now seeing issue with some of the REST API endpoints.
All the REST endpoints where we read data works fine e.g.
http://localhost:8080/engine-rest/version
http://localhost:8080/engine-rest/user

Whenever I request some REST api where we have to make some changes in the system, This API response is raw html (okta login page) . example :
http://localhost:8080/deployment/create

Here is my security config java class.

package com.example.workflow.config;

import org.camunda.bpm.webapp.impl.security.auth.ContainerBasedAuthenticationFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.saml2.provider.service.metadata.OpenSamlMetadataResolver;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter;

import java.util.Collections;

import static org.springframework.security.config.Customizer.withDefaults;

@EnableWebSecurity
@Order(SecurityProperties.BASIC_AUTH_ORDER - 15)
public class WebAppSecurityConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // Create a filter to generate a SAML Metadata file for the Application
        Saml2MetadataFilter filter = new Saml2MetadataFilter(
                (RelyingPartyRegistrationResolver)new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository),
                new OpenSamlMetadataResolver());

        // No Transformation of Authorities done
        GrantedAuthoritiesMapper authoritiesMapper = (authCol -> authCol);


        http
                .authorizeRequests()
                .antMatchers("/camunda/app/**","/camunda/api/**","/camunda/lib/**")
                .authenticated()
                .and()
                .csrf().ignoringAntMatchers("/camunda/api/**")
                .and()
                .authorizeRequests().antMatchers("/swaggerui/**","/engine-rest/**").permitAll()
                .and()
                .saml2Login();

        http
                .saml2Logout(withDefaults())
                .addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class)
                .authorizeRequests()
                .mvcMatchers("/").permitAll()
                .anyRequest().denyAll();

    }

    @Bean
    public FilterRegistrationBean containerBasedAuthenticationFilter(){

        FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
        filterRegistration.setFilter(new ContainerBasedAuthenticationFilter());
        filterRegistration.setInitParameters(Collections.singletonMap("authentication-provider", "com.example.workflow.filter.webapp.SpringSecurityAuthenticationProvider"));
        filterRegistration.setOrder(101); // make sure the filter is registered after the Spring Security Filter Chain
        filterRegistration.addUrlPatterns("/camunda/app/*");
        return filterRegistration;
    }
}

Please let me know why It is partially protecting REST APIs with write operations?

I made some changed and it is now working as expected. Please let me know if you see any issue with this configuration. I am planning to publish the entire solution in GitHub once I am done with testing. The behavior till now is

It takes your to okta login page for all the requests except for /swaggerui/** and /engine-rest/** .

package com.example.workflow.config;

import org.camunda.bpm.webapp.impl.security.auth.ContainerBasedAuthenticationFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.saml2.provider.service.metadata.OpenSamlMetadataResolver;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter;

import java.util.Collections;

import static org.springframework.security.config.Customizer.withDefaults;

@EnableWebSecurity
@Order(SecurityProperties.BASIC_AUTH_ORDER - 15)
public class WebAppSecurityConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // Create a filter to generate a SAML Metadata file for the Application
        Saml2MetadataFilter filter = new Saml2MetadataFilter(
                (RelyingPartyRegistrationResolver) new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository),
                new OpenSamlMetadataResolver());

        // No Transformation of Authorities done
        GrantedAuthoritiesMapper authoritiesMapper = (authCol -> authCol);


        http
                .csrf().ignoringAntMatchers("/camunda/api/**","/engine-rest/**")
                .and()
                .authorizeRequests().antMatchers("/swaggerui/**","/engine-rest/**").permitAll()
                .and()
                .authorizeRequests()
                .antMatchers("/**")//Need more testing if need to change it to (/camunda/**)
                .authenticated()
                .and()
                .saml2Login()
                .and()
                .saml2Logout(withDefaults())
                .addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class)
                .authorizeRequests()
                .mvcMatchers("/logout/saml2/slo").permitAll()
                .anyRequest().denyAll();

    }

    @Bean
    public FilterRegistrationBean containerBasedAuthenticationFilter() {

        FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
        filterRegistration.setFilter(new ContainerBasedAuthenticationFilter());
        filterRegistration.setInitParameters(Collections.singletonMap("authentication-provider", "com.example.workflow.filter.webapp.SpringSecurityAuthenticationProvider"));
        filterRegistration.setOrder(101); // make sure the filter is registered after the Spring Security Filter Chain
        filterRegistration.addUrlPatterns("/camunda/app/*");
        return filterRegistration;
    }
}

1 Like