Integrating Spring Security with Camunda
The main idea is to offload authentication to Spring Security which then makes it easy to plug in any authentication mechanism. Spring Security offers different ways of achieving that:
Option 1: Provide a custom Spring Security
AuthenticationProvider which takes care of the whole authentication procedure.
In that way, authentication could be done in any (proprietary) Camunda specific way. This approach is not in scope
of this showcase.
Option 2: Use any given Identity Management solution (e.g. keycloak, auth0, ...) and integrate it with Spring Security,
then pass the authentication on to Camunda using Camunda's
Depending on what one needs to secure, one needs to add a stateless filter for the REST API
see here )
or a session based one for the web apps. For the latter, Camunda 7.9 introduced the ContainerBasedAuthenticationFilter
that can be used in combination with a custom Camunda AuthenticationProvider.
We also need to make sure that the existing AuthenticationFilter that is already used by the Web Apps does not interfere with our custom one. That means our filter should be first in the order, so that the existing one can serve as a fallback. Since the existing filter only reads auth info from the session, there should be no harm in leaving it in place.
If one needs to use IdentityService APIs or wants to see actual Users and Groups show up in Cockpit,
IdentityProvider needs to be implemented as well.
Another example of how to use external authentication can be found in the Camunda SSO JBoss Project.