Why two authentication filters?


could someone please explain the difference between the classes ContainerBasedAuthenticationFilter and ProcessEngineAuthenticationFilter?

They are in different projects (web-app and engine) and are not exactly the same. But still there are many similarities in the code.

What is is purpose of each one? And why are there two of them and not one? I.e. why can’t one of them do what the other does (whatever the “one” and the “other” is).

Thank you.

@fml2, Depending on what one needs to secure, one needs to add a stateless filter for the REST API (similar to ProcessEngineAuthenticationFilter , see here ) or a session based one for the web apps. For the latter, Camunda 7.9 introduced the ContainerBasedAuthenticationFilter that can be used in combination with a custom Camunda AuthenticationProvider.

The Container-based Authentication Filter is only using the standard Servlet and Java Security APIs. Therefore it works exactly the same on all Servlet containers and with any authentication mechanism supported by the container.

Securing Camunda’s REST API

REST API’s default ProcessEngineAuthenticationFilter authenticates the user with HTTP Basic Auth.

Securing Camunda’s Web Apps

Camunda Web Apps use an AuthenticationFilter very similar to the REST API’s ProcessEngineAuthenticationFilter.

Securing your Web Application Container

Add the ContainerBasedAuthenticationFilter that ships with the product and implement a custom AuthenticationProvider if required.

Read more about about Securing Camunda with Authentication and Authorizations.

Thank you for the very good links! And thank to camunda folks for the excellent docs!

However, I sitll don’t quite understand why there are two filters. Is the difference that one of them uses HTTP sessions and the other is stateless? But why are those sessions needed? The filter authenticates every request every time and does not rely on the user already present in the session. So, the session does not matter eventually.

I know from my earlier experience that there were web applications that did not check the user if one was already present in the HTTP session. But this is not the case with the ContainerBasedAuthenticationFilter.

ContainerBasedAuthenticationFilter comes into the picture when you want to enable SSO

Could you please elaborate a little bit? I fail to see a difference between the two in this respect.

Upd. The only difference I see is that this filter saves the current authentications as a session attribute so that the web app code can see which process engine users are authenticated.

any other update? i also cannot find differences.