ReST Integration with Camunda auth provider

Though I’m able to get identity access with my own JAX-RS extension via “@Context SecurityContext”, I’m wanting to tie into (per HttpBasicAuthenticationProvider) so that I can use the built-in user database.

Everything works until I want to access the “@Context SecurityContext” - which ends up “null” (getting a null pointer error). My goal is to fetch the UserPrincipal from the logged in user.

example:

    public String secureEchoGet(@PathParam("hello") String hello, 
            @Context SecurityContext security) {

        LOGGER.info("*** echoget - user : " + security.getUserPrincipal().getName());
        
        
       

I checked Camunda source and noticed no use of “@Context SecurityContext” - however, there are examples of “@Context UriInfo”

I’m guessing that I’ll need to implement a security interceptor. Given that I don’t see any reference to “SecurityInterceptor” in source.

Is this correct?

Thanks!

Hi @garysamuelson,

I am not sure, but I guess that SecurityContext is application server specific part of implementation as JAX-RS jar only defines interface. Which application server are you using?

Cheers,
Askar

My server: WildFly v10.x

My goal is to simply use the logged-in-user’s ID/Username inbound from a ReST (JAX-RS) call.

I was able to get “resteasy.role.based.security” working (my mistake - forgot to set the parm back “on” during testing):

    <context-param>
        <description>turning on resteasy security. Note that this will not work for ejb</description>
        <param-name>resteasy.role.based.security</param-name>
        <param-value>true</param-value>
    </context-param>

WildFly’s built-in auth works (i.e. application-roles.properties). I’m now just looking for access into Camunda’s existing auth infrastructure.

So, I can use Camunda’s filter:

  <filter>
    <filter-name>camunda-auth</filter-name>
    <filter-class>
      org.camunda.bpm.engine.rest.security.auth.ProcessEngineAuthenticationFilter
    </filter-class>
    <init-param>
      <param-name>authentication-provider</param-name>
      <param-value>org.camunda.bpm.engine.rest.security.auth.impl.HttpBasicAuthenticationProvider</param-value>
    </init-param>
  </filter>
  
  
  <filter-mapping>
    <filter-name>camunda-auth</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

But, I’m not able to reference and use security annotations - example:

Noting:

myusergroup is in the Wildfly “application-roles.properties” file
mycamgroup is in Camunda’s group table

User’s not in “application-roles.properties” aren’t authorized (auth error from ReST ) call. But, those in wildfly group properties are allowed.

    @GET
    @Path("secureechoget/{hello}")
    @RolesAllowed({"myusergroup","mycamgroup"})
    @Produces(MediaType.APPLICATION_JSON)
    public String secureEchoGet(@PathParam("hello") String hello, 
            @Context SecurityContext security) {      
        
        String loginName = security.getUserPrincipal().getName();
        LOGGER.info("*** reviewContext - getName: " + loginName);
        

        // assemble a basic JSON reply and return
        String echoReply = "{\"logged in user\": \"" + loginName + "\"}";

        return echoReply;
    }

NOTE: I’m still working out the kinks… But, the basic question is, do I need a separate interceptor (examples on RedHat… etc)

I’ll leave the question up - but… I think I forgot to add/configure a new realm.

Thanks though.