SSO (Spring Security + Camunda Identity Service)

ndry93 · August 14, 2019, 8:12am

Hi,

I have implemented spring security within a spring boot app that embed camunda-bpm-spring-boot-webapp dependency.
Then authentication is made using a custom authentication provider against identityService.checkPassword and identityService.setAuthenticationUserId.

How to SSO the embed Camunda Webapp? now i logged in successfuly using registered Camunda users and password, but when trying to open Camunda Tasklist/Welcome/Admin it redirects to Camunda common Login page.

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

    @Override
    public Authentication authenticate(Authentication auth) 
      throws AuthenticationException {
        String username = auth.getName();
        String password = auth.getCredentials()
            .toString();
        
        CamundaUtils cm = new CamundaUtils();
        if (cm.signin(username, password)) {
            return new UsernamePasswordAuthenticationToken
              (username, password, Collections.emptyList());
        } else {
            throw new
              BadCredentialsException("External system authentication failed");
        }
    }
 
    @Override
    public boolean supports(Class<?> auth) {
        return auth.equals(UsernamePasswordAuthenticationToken.class);
    }
}

#CamundaUtils

public boolean signin(String userId, String password) {
		boolean isValid = identityService.checkPassword(userId, password);
		if(isValid) identityService.setAuthenticatedUserId(userId);
		return isValid;
	}

Regards,
Hendry

ndry93 · August 14, 2019, 8:37am

Hi,

The SSO works when i use Container-Based Authentication, i follow the git project:

However i noticed that the signout button inside the Camunda Webapp does not work, and Authorization seems to be not working as well (cannot see available applications in Camunda Welcome, and a Spring Whitelabel error when opening tasklisk). I suspect the container still has authenticated state.
Please advice…

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
	
	@Bean
    public FilterRegistrationBean containerBasedAuthenticationFilter(){

        FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
        filterRegistration.setFilter(new ContainerBasedAuthenticationFilter());
        filterRegistration.setInitParameters(Collections.singletonMap("authentication-provider", "com.ey.eyharmony.config.SpringSecurityAuthenticationProvider"));
        filterRegistration.setOrder(101); // make sure the filter is registered after the Spring Security Filter Chain
        filterRegistration.addUrlPatterns("/app/*");
        return filterRegistration;
    }
	
	@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
//                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll()
                .and()
                .csrf().ignoringAntMatchers("/app/","/lib/","/api/**");
    }
}

#Custom Provider

public class SpringSecurityAuthenticationProvider extends ContainerBasedAuthenticationProvider {

    @Override
    public AuthenticationResult extractAuthenticatedUser(HttpServletRequest request, ProcessEngine engine) {

        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

        if (authentication == null) {
            return AuthenticationResult.unsuccessful();
        }

        String name = authentication.getName();
        if (name == null || name.isEmpty()) {
            return AuthenticationResult.unsuccessful();
        }

        AuthenticationResult authenticationResult = new AuthenticationResult(name, true);
        authenticationResult.setGroups(getUserGroups(authentication));

        return authenticationResult;
    }

    private List<String> getUserGroups(Authentication authentication){

        List<String> groupIds;

        groupIds = authentication.getAuthorities().stream()
                .map(res -> res.getAuthority())
                .map(res -> res.substring(5)) // Strip "ROLE_"
                .collect(Collectors.toList());

        return groupIds;

    }

}

Regards,
Hendry

sunkiranforu · April 24, 2020, 7:05pm

Hi,
Yes, I am also looking for same type of implementation.
Followed the above git code and the Authentication is working fine but Authorization is not working as expected, The groupId’s are not getting reflected under camunda tasklist.
Please let me know, if you came across any more information related to implement Authorization ?

sunkiranforu · June 26, 2020, 4:22pm

By default Authorization is disabled, so needs to be enabled it by adding the below entry applicaiton yaml/properties file.

camunda.bpm.authorization.enabled=true

teja_polisetty · December 31, 2021, 8:00pm

This way of authorization worked for till camunda springboot version 3.4.x
but from camunda springboot version 7.13 onwards its not detecting ContainerBasedAuthenticationProvider.
https://docs.camunda.org/manual/7.16/user-guide/spring-boot-integration/version-compatibility/

Can any one help on this?

teja_polisetty · January 10, 2022, 8:11pm

It is working now by updating the addUrlPatterns("/app/*"); with more url pattern like engine-rest
thank you

abhaymeshram · February 17, 2022, 6:07pm

Dear Team,

I am trying to implement Camunda + Oauth 2+ AWS cognito in spring boot v2.6.3 and camunda v 7.16.0. I am able to redirect to cognito and once success coming to ContainerBasedAuthenticationProvider. But still role is not assigned correctly in
camunda/api/admin/auth/user/default

It is always returning “authorizedApps”:[“welcome”]

@Niall