Spring Security to ignore Camunda endpoint

Hi,

I want to ignore any Spring Security for /camunda/** and I really do not understand why .requestMatchers(“/camunda/*”).permitAll() do not work at all.

After POSTing login in form I am getting 401

I see a lot of examples on integrating SSO, Keycloak etc but that is not what I want for the moment.

(camunda-community-hub/camunda-platform-7-keycloak)
(camunda-consulting/camunda-7-code-examples/tree/main/snippets/springboot-security-sso)

ENV:
Camunda 7.20
Spring Boot 3.1.1
Spring Security
Keycloak

This is my base Security Config
If I comment all requestMatchers and put anyRequest().permitAll() it works but that is a security problem.

@Configuration
@EnableWebSecurity
public class ConfiguracaoSeguranca {

    @Value("${rolePermitidaChg}")
    private String rolePermitidaChg;

    @Bean
    //@Profile({"prod-sec"})
    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> auth
                        .requestMatchers(HttpMethod.POST).hasRole(rolePermitidaChg)
                        .requestMatchers(HttpMethod.PUT).hasRole(rolePermitidaChg)
                        .requestMatchers(HttpMethod.GET).permitAll()
                        .requestMatchers("/camunda/*").permitAll()
                        .anyRequest().denyAll()
                )
                .cors(Customizer.withDefaults())
                .csrf(csrf -> csrf.disable())
                .oauth2ResourceServer(auth -> {
                    auth.jwt(jwtConfigurer -> {
                        jwtConfigurer.jwtAuthenticationConverter(jwtAuthenticationConverterForKeycloak());
                    });
                })
                .sessionManagement( session -> {
                    session.sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
                });
        return http.build();
    }

    public JwtAuthenticationConverter jwtAuthenticationConverterForKeycloak() {
        Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter = jwt -> {
            Map<String, Collection<String>> realmAccess = jwt.getClaim("realm_access");
            Collection<String> roles = realmAccess.get("roles");
            return roles.stream()
                    .map(role -> new SimpleGrantedAuthority("ROLE_" + role))
                    .collect(Collectors.toList());
        };

        var jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter);

        return jwtAuthenticationConverter;
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"));
        configuration.setAllowedHeaders(Arrays.asList("X-PINGOTHER", "Authorization", "Origin", "X-Requested-With", "Content-Type", "Accept", "Authorization"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
    
}

I tried with/without authorization.enabled

camunda:
  bpm:
    admin-user:
      id: demo
      password: demo
    deployment-resource-pattern: classpath*:**/process*.bpmn
    job-execution:
      core-pool-size: 12
      max-pool-size: 24
    authorization:
      enabled: true

Logs after POSTing login:

I guess this is the critical part:

2024-02-26T13:44:48.827-03:00 DEBUG 13472 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Securing POST /camunda/api/admin/auth/user/default/login/welcome
2024-02-26T13:44:48.827-03:00 DEBUG 13472 --- [nio-8080-exec-9] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-02-26T13:44:42.824-03:00  INFO 13472 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring DispatcherServlet 'dispatcherServlet'
2024-02-26T13:44:42.824-03:00  INFO 13472 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
2024-02-26T13:44:42.824-03:00 DEBUG 13472 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Detected StandardServletMultipartResolver
2024-02-26T13:44:42.824-03:00 DEBUG 13472 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Detected AcceptHeaderLocaleResolver
2024-02-26T13:44:42.824-03:00 DEBUG 13472 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Detected FixedThemeResolver
2024-02-26T13:44:42.825-03:00 DEBUG 13472 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Detected org.springframework.web.servlet.view.DefaultRequestToViewNameTranslator@2c501815
2024-02-26T13:44:42.825-03:00 DEBUG 13472 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Detected org.springframework.web.servlet.support.SessionFlashMapManager@219d4c7
2024-02-26T13:44:42.825-03:00 DEBUG 13472 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : enableLoggingRequestDetails='true': request parameters and headers will be shown which may lead to unsafe logging of potentially sensitive data
2024-02-26T13:44:42.825-03:00  INFO 13472 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 1 ms
2024-02-26T13:44:42.828-03:00 DEBUG 13472 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /
2024-02-26T13:44:42.834-03:00 DEBUG 13472 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-02-26T13:44:42.838-03:00 DEBUG 13472 --- [nio-8080-exec-1] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ParameterizableViewController [view=org.springframework.web.servlet.view.RedirectView: [RedirectView]; URL [/camunda/app/]]
2024-02-26T13:44:42.839-03:00 DEBUG 13472 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Secured GET /
2024-02-26T13:44:42.841-03:00 DEBUG 13472 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : GET "/", parameters={}
2024-02-26T13:44:42.843-03:00 DEBUG 13472 --- [nio-8080-exec-1] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ParameterizableViewController [view=org.springframework.web.servlet.view.RedirectView: [RedirectView]; URL [/camunda/app/]]
2024-02-26T13:44:42.847-03:00 DEBUG 13472 --- [nio-8080-exec-1] o.s.web.servlet.view.RedirectView        : View [RedirectView], model {}
2024-02-26T13:44:42.848-03:00 DEBUG 13472 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Completed 302 FOUND
2024-02-26T13:44:42.853-03:00 DEBUG 13472 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : Securing GET /camunda/app/
2024-02-26T13:44:42.853-03:00 DEBUG 13472 --- [nio-8080-exec-2] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-02-26T13:44:42.854-03:00 DEBUG 13472 --- [nio-8080-exec-2] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/webjars/camunda/app/]]
2024-02-26T13:44:42.854-03:00 DEBUG 13472 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : Secured GET /camunda/app/
2024-02-26T13:44:42.860-03:00 DEBUG 13472 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Securing GET /camunda/app/welcome/default/
2024-02-26T13:44:42.860-03:00 DEBUG 13472 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-02-26T13:44:42.861-03:00 DEBUG 13472 --- [nio-8080-exec-3] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/webjars/camunda/app/]]
2024-02-26T13:44:42.862-03:00 DEBUG 13472 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Secured GET /camunda/app/welcome/default/
2024-02-26T13:44:43.010-03:00 DEBUG 13472 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy        : Securing GET /camunda/app/welcome/scripts/config.js?bust=1708965883007
2024-02-26T13:44:43.014-03:00 DEBUG 13472 --- [nio-8080-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-02-26T13:44:43.014-03:00 DEBUG 13472 --- [nio-8080-exec-4] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/webjars/camunda/app/]]
2024-02-26T13:44:43.014-03:00 DEBUG 13472 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy        : Secured GET /camunda/app/welcome/scripts/config.js?bust=1708965883007
2024-02-26T13:44:43.015-03:00 DEBUG 13472 --- [nio-8080-exec-4] o.s.web.servlet.DispatcherServlet        : GET "/camunda/app/welcome/scripts/config.js?bust=1708965883007", parameters={bust:[1708965883007]}
2024-02-26T13:44:43.015-03:00 DEBUG 13472 --- [nio-8080-exec-4] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/webjars/camunda/app/]]
2024-02-26T13:44:43.021-03:00 DEBUG 13472 --- [nio-8080-exec-4] o.s.web.servlet.DispatcherServlet        : Completed 200 OK
2024-02-26T13:44:43.493-03:00 DEBUG 13472 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : Securing GET /camunda/api/admin/auth/user/default
2024-02-26T13:44:43.493-03:00 DEBUG 13472 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy        : Securing GET /camunda/api/engine/engine/
2024-02-26T13:44:43.493-03:00 DEBUG 13472 --- [nio-8080-exec-5] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-02-26T13:44:43.493-03:00 DEBUG 13472 --- [nio-8080-exec-6] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-02-26T13:44:43.497-03:00 DEBUG 13472 --- [nio-8080-exec-6] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
2024-02-26T13:44:43.497-03:00 DEBUG 13472 --- [nio-8080-exec-5] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
2024-02-26T13:44:43.497-03:00 DEBUG 13472 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : Secured GET /camunda/api/admin/auth/user/default
2024-02-26T13:44:43.497-03:00 DEBUG 13472 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy        : Secured GET /camunda/api/engine/engine/
2024-02-26T13:44:43.527-03:00 DEBUG 13472 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : Securing GET /error
2024-02-26T13:44:43.529-03:00 DEBUG 13472 --- [nio-8080-exec-6] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2024-02-26T13:44:43.529-03:00 DEBUG 13472 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : Secured GET /error
2024-02-26T13:44:43.529-03:00 DEBUG 13472 --- [nio-8080-exec-6] o.s.web.servlet.DispatcherServlet        : "ERROR" dispatch for GET "/error", parameters={}
2024-02-26T13:44:43.529-03:00 DEBUG 13472 --- [nio-8080-exec-6] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2024-02-26T13:44:43.542-03:00 DEBUG 13472 --- [nio-8080-exec-6] o.s.w.s.m.m.a.HttpEntityMethodProcessor  : Using 'application/json', given [application/json, text/plain, */*] and supported [application/json, application/*+json]
2024-02-26T13:44:43.543-03:00 DEBUG 13472 --- [nio-8080-exec-6] o.s.w.s.m.m.a.HttpEntityMethodProcessor  : Writing [{timestamp=Mon Feb 26 13:44:43 BRT 2024, status=404, error=Not Found, message=Not Found, path=/camun (truncated)...]
2024-02-26T13:44:43.549-03:00 DEBUG 13472 --- [nio-8080-exec-6] o.s.web.servlet.DispatcherServlet        : Exiting from "ERROR" dispatch, status 404
2024-02-26T13:44:43.549-03:00 DEBUG 13472 --- [nio-8080-exec-6] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-02-26T13:44:43.566-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Securing GET /camunda-welcome
2024-02-26T13:44:43.566-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-02-26T13:44:43.566-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
2024-02-26T13:44:43.567-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Secured GET /camunda-welcome
2024-02-26T13:44:43.567-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.web.servlet.DispatcherServlet        : GET "/camunda-welcome", parameters={}
2024-02-26T13:44:43.567-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
2024-02-26T13:44:43.572-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.w.s.r.ResourceHttpRequestHandler     : Resource not found
2024-02-26T13:44:43.572-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.web.servlet.DispatcherServlet        : Completed 404 NOT_FOUND
2024-02-26T13:44:43.572-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Securing GET /error
2024-02-26T13:44:43.572-03:00 DEBUG 13472 --- [nio-8080-exec-7] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2024-02-26T13:44:43.572-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : Secured GET /error
2024-02-26T13:44:43.572-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.web.servlet.DispatcherServlet        : "ERROR" dispatch for GET "/error", parameters={}
2024-02-26T13:44:43.573-03:00 DEBUG 13472 --- [nio-8080-exec-7] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2024-02-26T13:44:43.573-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.w.s.m.m.a.HttpEntityMethodProcessor  : Using 'application/json', given [application/json, text/plain, */*] and supported [application/json, application/*+json]
2024-02-26T13:44:43.573-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.w.s.m.m.a.HttpEntityMethodProcessor  : Writing [{timestamp=Mon Feb 26 13:44:43 BRT 2024, status=404, error=Not Found, message=No message available,  (truncated)...]
2024-02-26T13:44:43.574-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.web.servlet.DispatcherServlet        : Exiting from "ERROR" dispatch, status 404
2024-02-26T13:44:43.574-03:00 DEBUG 13472 --- [nio-8080-exec-7] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-02-26T13:44:48.819-03:00 DEBUG 13472 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Securing GET /camunda/api/engine/engine/
2024-02-26T13:44:48.819-03:00 DEBUG 13472 --- [nio-8080-exec-8] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-02-26T13:44:48.820-03:00 DEBUG 13472 --- [nio-8080-exec-8] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
2024-02-26T13:44:48.820-03:00 DEBUG 13472 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Secured GET /camunda/api/engine/engine/
2024-02-26T13:44:48.827-03:00 DEBUG 13472 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Securing POST /camunda/api/admin/auth/user/default/login/welcome
2024-02-26T13:44:48.827-03:00 DEBUG 13472 --- [nio-8080-exec-9] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-02-26T13:44:48.827-03:00 DEBUG 13472 --- [nio-8080-exec-9] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
2024-02-26T13:44:48.835-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Securing GET /camunda-welcome
2024-02-26T13:44:48.837-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-02-26T13:44:48.837-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
2024-02-26T13:44:48.837-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Secured GET /camunda-welcome
2024-02-26T13:44:48.837-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.web.servlet.DispatcherServlet        : GET "/camunda-welcome", parameters={}
2024-02-26T13:44:48.837-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
2024-02-26T13:44:48.839-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.w.s.r.ResourceHttpRequestHandler     : Resource not found
2024-02-26T13:44:48.839-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.web.servlet.DispatcherServlet        : Completed 404 NOT_FOUND
2024-02-26T13:44:48.839-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Securing GET /error
2024-02-26T13:44:48.840-03:00 DEBUG 13472 --- [io-8080-exec-10] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2024-02-26T13:44:48.840-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Secured GET /error
2024-02-26T13:44:48.840-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.web.servlet.DispatcherServlet        : "ERROR" dispatch for GET "/error", parameters={}
2024-02-26T13:44:48.840-03:00 DEBUG 13472 --- [io-8080-exec-10] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2024-02-26T13:44:48.841-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.w.s.m.m.a.HttpEntityMethodProcessor  : Using 'application/json', given [application/json, text/plain, */*] and supported [application/json, application/*+json]
2024-02-26T13:44:48.841-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.w.s.m.m.a.HttpEntityMethodProcessor  : Writing [{timestamp=Mon Feb 26 13:44:48 BRT 2024, status=404, error=Not Found, message=No message available,  (truncated)...]
2024-02-26T13:44:48.842-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.web.servlet.DispatcherServlet        : Exiting from "ERROR" dispatch, status 404
2024-02-26T13:44:48.842-03:00 DEBUG 13472 --- [io-8080-exec-10] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext