Spring Boot Starter secure REST API with LDAP authentication and authorization

Camunda 7 Topics Discussion & Questions
1

Hi,

I want to secure our Spring Boot Starter application with the following features:

  • LDAP authentication
  • LDAP authorization
  • securing REST API

For LDAP, I created a JAVA class as follows:

@Configuration
public class CamundaSecurity {
    @Bean
    public FilterRegistrationBean processEngineAuthenticationFilter() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setName("camunda-auth");
        registration.setFilter(getProcessEngineAuthenticationFilter());
        registration.addInitParameter("authentication-provider",
                "org.camunda.bpm.engine.rest.security.auth.impl.HttpBasicAuthenticationProvider");
        registration.addUrlPatterns("/engine-rest/*");
        return registration;
    }

    @Bean
    public Filter getProcessEngineAuthenticationFilter() {
        return new ProcessEngineAuthenticationFilter();
    }

    @Bean
    public AdministratorAuthorizationPlugin administratorAuthorizationPlugin() {
        AdministratorAuthorizationPlugin plugin = new AdministratorAuthorizationPlugin();
        plugin.setAdministratorGroupName("My_Camunda_Admins");
        return plugin;
    }

    @Bean
    public LdapIdentityProviderPlugin ldapIdentityProviderPlugin() {
        LdapIdentityProviderPlugin plugin = new LdapIdentityProviderPlugin();
        plugin.setServerUrl("ldaps://ldap.myserver.info:636");
        plugin.setManagerDn("uid=myldapuser,ou=Reader,ou=Admins,o=root");
        plugin.setManagerPassword("my_secret");
        plugin.setBaseDn("o=root");
        plugin.setUserSearchBase("o=root");
        plugin.setUserSearchFilter("(objectclass=person)");
        plugin.setUserIdAttribute("mail");
        plugin.setUserFirstnameAttribute("givenName");
        plugin.setUserLastnameAttribute("sn");
        plugin.setUserEmailAttribute("mail");

        plugin.setGroupSearchBase("");
        plugin.setGroupSearchFilter("(objectclass=GroupOfNames)(|(cn=WFT_*)");
        plugin.setGroupIdAttribute("cn");
        plugin.setGroupNameAttribute("cn");
        plugin.setGroupMemberAttribute("member");
        plugin.setAuthorizationCheckEnabled(true);
        return plugin;
    }
}

In the application.yaml I activated authorization:

camunda.bpm.authorization:
  enabled: true

With these settings, every user in my LDAP can login to the Webapps, but they see nothing except the welcome page. Tasklist, Cockpit and Admin is only for the members of the My_Camunda_Admins group.

So far so good.

The REST API is available for every LDAP user, too.

What changes needs to be added to secure the REST API, so that only members of the My_Camunda_Admins group are allowed to use the REST API?

Best regards,

Rainer

2