Hi,
I want to secure our Spring Boot Starter application with the following features:
- LDAP authentication
- LDAP authorization
- securing REST API
For LDAP, I created a JAVA class as follows:
@Configuration
public class CamundaSecurity {
@Bean
public FilterRegistrationBean processEngineAuthenticationFilter() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setName("camunda-auth");
registration.setFilter(getProcessEngineAuthenticationFilter());
registration.addInitParameter("authentication-provider",
"org.camunda.bpm.engine.rest.security.auth.impl.HttpBasicAuthenticationProvider");
registration.addUrlPatterns("/engine-rest/*");
return registration;
}
@Bean
public Filter getProcessEngineAuthenticationFilter() {
return new ProcessEngineAuthenticationFilter();
}
@Bean
public AdministratorAuthorizationPlugin administratorAuthorizationPlugin() {
AdministratorAuthorizationPlugin plugin = new AdministratorAuthorizationPlugin();
plugin.setAdministratorGroupName("My_Camunda_Admins");
return plugin;
}
@Bean
public LdapIdentityProviderPlugin ldapIdentityProviderPlugin() {
LdapIdentityProviderPlugin plugin = new LdapIdentityProviderPlugin();
plugin.setServerUrl("ldaps://ldap.myserver.info:636");
plugin.setManagerDn("uid=myldapuser,ou=Reader,ou=Admins,o=root");
plugin.setManagerPassword("my_secret");
plugin.setBaseDn("o=root");
plugin.setUserSearchBase("o=root");
plugin.setUserSearchFilter("(objectclass=person)");
plugin.setUserIdAttribute("mail");
plugin.setUserFirstnameAttribute("givenName");
plugin.setUserLastnameAttribute("sn");
plugin.setUserEmailAttribute("mail");
plugin.setGroupSearchBase("");
plugin.setGroupSearchFilter("(objectclass=GroupOfNames)(|(cn=WFT_*)");
plugin.setGroupIdAttribute("cn");
plugin.setGroupNameAttribute("cn");
plugin.setGroupMemberAttribute("member");
plugin.setAuthorizationCheckEnabled(true);
return plugin;
}
}
In the application.yaml I activated authorization:
camunda.bpm.authorization:
enabled: true
With these settings, every user in my LDAP can login to the Webapps, but they see nothing except the welcome page. Tasklist, Cockpit and Admin is only for the members of the My_Camunda_Admins group.
So far so good.
The REST API is available for every LDAP user, too.
What changes needs to be added to secure the REST API, so that only members of the My_Camunda_Admins group are allowed to use the REST API?
Best regards,
Rainer