They are in different projects (web-app and engine) and are not exactly the same. But still there are many similarities in the code.
What is is purpose of each one? And why are there two of them and not one? I.e. why can’t one of them do what the other does (whatever the “one” and the “other” is).
The Container-based Authentication Filter is only using the standard Servlet and Java Security APIs. Therefore it works exactly the same on all Servlet containers and with any authentication mechanism supported by the container.
Securing Camunda’s REST API
REST API’s default ProcessEngineAuthenticationFilter authenticates the user with HTTP Basic Auth.
Securing Camunda’s Web Apps
Camunda Web Apps use an AuthenticationFilter very similar to the REST API’s ProcessEngineAuthenticationFilter.
Securing your Web Application Container
Add the ContainerBasedAuthenticationFilter that ships with the product and implement a custom AuthenticationProvider if required.
Thank you for the very good links! And thank to camunda folks for the excellent docs!
However, I sitll don’t quite understand why there are two filters. Is the difference that one of them uses HTTP sessions and the other is stateless? But why are those sessions needed? The filter authenticates every request every time and does not rely on the user already present in the session. So, the session does not matter eventually.
I know from my earlier experience that there were web applications that did not check the user if one was already present in the HTTP session. But this is not the case with the ContainerBasedAuthenticationFilter.
Could you please elaborate a little bit? I fail to see a difference between the two in this respect.
Upd. The only difference I see is that this filter saves the current authentications as a session attribute so that the web app code can see which process engine users are authenticated.