5

I successfully managed to integrate Spring Security with Camunda's IdentityService. My goal is to share a common auth realm between the two, because we have a spring-boot based web app that also runs camunda. In our application, Spring Security should solely manage the single auth realm, acting Camunda only as a read only client code.

We are planning to bind business processes with users, and these users should be authenticated from spring security.

My question is what should I exactly implement / override?

My current code is as follows:

import org.camunda.bpm.engine.impl.identity.db.DbReadOnlyIdentityServiceProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.AuthenticationException;
import org.springframework.stereotype.Component;

/**
 * Wires Camunda {@link org.camunda.bpm.engine.IdentityService} with Spring Security.
 * TODO check if other method overrides are needed
 */
@Component
public class SpringSecurityReadOnlyIdentityServiceProvider extends DbReadOnlyIdentityServiceProvider {

    @Autowired
    private AuthenticationManager authenticationManager;

    /**
     * Checks if username and password is valid.
     *
     * @param userId   Username
     * @param password Password
     * @return True if authentication succeeded
     */
    @Override
    public boolean checkPassword(String userId, String password) {
        try {
            authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(userId, password));
        } catch (AuthenticationException e) {
            return false;
        }
        return true;
    }
}

It works (the wiring itself), but I don't know what more methods should I override.

This code checks if the given username and password is correct in Spring Security's realm. Is this enough? I did read the documentation for Camunda. It contained about two lines saying I should implement ReadOnlyIdentityProvider or WritableIdentityProvider, but I think implementing each and every methods is pure overkill. That's why I extended DbReadOnlyIdentityServiceProvider.

Thanks!

gyorgyabraham
  • 2,550
  • 1
  • 28
  • 46
  • You can checkout https://github.com/AOT-Technologies/forms-flow-ai/tree/master/forms-flow-bpm to learn more. We had implemented authentication using keycloak. except the authentication provider, other configuration must be same. – John Jun 15 '22 at 10:06

1 Answers1

0

In the meantime Camunda 7.9 introduced the ContainerBasedAuthenticationFilter that can be used in combination with a custom Camunda AuthenticationProvider.

This is a complete example of integrating Camunda >=7.9 with Spring Security: https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso

rob2universe
  • 7,059
  • 39
  • 54