I have an application running the Spring Boot Starter. I need security active on the /rest api. I also have a /data running Spring Data Rest, so I can have access to data from embedded forms.
To activate security on /rest I am using the following config class. It works as expected. But if I add my /data to the url pattern, it prompts for a password from within tasklist, even after I’ve been logged in. This is not what I expected.
Any idea on how to sync the session from tasklist, rest and spring data?
@Configuration
public class WebConfig {
@Bean
public FilterRegistrationBean restAPIFilterRegistration() {
ProcessEngineAuthenticationFilter camundaFilter = new ProcessEngineAuthenticationFilter();
FilterRegistrationBean registration = new FilterRegistrationBean();
ArrayList<String> urlPatterns = new ArrayList<String>();
urlPatterns.add("/rest/*");
// urlPatterns.add("/data/*");
registration.setUrlPatterns(urlPatterns);
registration.addInitParameter("authentication-provider",
"org.camunda.bpm.engine.rest.security.auth.impl.HttpBasicAuthenticationProvider");
registration.setName("camunda-auth");
registration.setFilter(camundaFilter);
registration.setOrder(1);
return registration;
}
}
update: I’ve also tried to create my own filter. But when I call identityService.getCurrentAuthentication I keep getting null, even when I’ve logged in.
public class HttpAuthentication extends GenericFilterBean {
protected static final String BASIC_AUTH_HEADER_PREFIX = "Basic ";
IdentityService identityService;
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
if (identityService == null){
ServletContext servletContext = req.getServletContext();
WebApplicationContext webApplicationContext = WebApplicationContextUtils.getWebApplicationContext(servletContext);
identityService = webApplicationContext.getBean(IdentityService.class);
}
HttpServletRequest request = ((HttpServletRequest) req);
HttpServletResponse response = ((HttpServletResponse) res);
if(identityService.getCurrentAuthentication() == null) {
response.setStatus(401);
}
chain.doFilter(request, response);
}
}