CODEWITHSUNDEEP
spring-bootbasic-authenticationactiviti
user3661933
user3661933

Reputation: 91

How to disable activiti REST HTTP

We are using activiti v5.18 and spring boot. To invoke activiti REST API, we have to create an activiti user to pass basic authentication. As I know, activiti security is based on spring boot security, we tried two approaches.

  1. Exclude activiti spring boot security auto config

    @EnableAutoConfiguration(exclude = {org.activiti.spring.boot.SecurityAutoConfiguration.class})

  2. Create a class to extend spring class 'WebSecurityConfigurerAdapter), and set 'security.basic.enabled=false' in application.properties

    @Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {

// @formatter:off
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/","/static/**", "/resources/**","/resources/public/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.httpBasic().disable()
.requiresChannel().anyRequest().requiresSecure();
// @formatter:on
}
}

Unfortunately, none of them disable the basic authentication, when I go to page 'http://localhost:8080/repository/deployments', browser pops up user login window. And show error message on page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

There was an unexpected error (type=Unauthorized, status=401). Full authentication is required to access this resource

In addition, we have our own REST service, when client invoke our REST service, browser also asks to input activiti REST user/password.

Is there any way to disable activiti REST HTTP basic authentication?

Upvotes: 2

Views: 6730

Answers (4)

Yoku
Yoku

Reputation: 307

Recently I was also faced with this issue. I tried several suggestions and spent many hours but I could not succeed. But there was very easy way out. If one doesnt need to use the Activiti-rest while integrating it with one's application as such then just take the dependency 

<dependency>
<groupId>org.activiti</groupId>
<artifactId>activiti-spring-boot-starter-rest-api</artifactId>
<version>${activiti.version}</version>
</dependency>

out. Hope it will help someone. There is no documentation I could find mentioning this.

Upvotes: 0

amorales
amorales

Reputation: 327

This might be coming late for the OP, but this work and probably still will help other people.

@EnableAutoConfiguration(exclude = {
org.activiti.spring.boot.RestApiAutoConfiguration.class,
org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class,
org.activiti.spring.boot.SecurityAutoConfiguration.class,
org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration.class
})

Upvotes: 2

Amir Azizkhani
Amir Azizkhani

Reputation: 1813

you can use this class for configuration with @Ben idea:

@Configuration
@EnableWebSecurity
@EnableWebMvcSecurity
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CustomSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Bean
    @ConditionalOnMissingBean
    public AuthenticationProvider authenticationProvider() {
        return new BasicAuthenticationProvider();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authenticationProvider(authenticationProvider())
                .csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                .antMatchers(HttpMethod.GET, "/**").permitAll()
                .antMatchers(HttpMethod.POST, "/**").permitAll()
                .antMatchers(HttpMethod.PUT, "/**").permitAll()
                .antMatchers(HttpMethod.DELETE, "/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .httpBasic();
    }
}

Upvotes: 0

Ben
Ben

Reputation: 1599

You could use antMatchers to disable authentication for some type of requests such as HTTP-GET or / and HTTP-POST requests as follows:

.antMatchers(HttpMethod.GET, "/**").permitAll()

With his command, all HTTP-GET Methods won´t hit the BasicAuthenticationFilter. For my UseCase, I had to exclude the HTTP-Options Requests this way. Simply edit the org.activiti.rest.conf.SecurityConfiguration.java in the activiti-webapp-rest2 as follows:

@Override
  protected void configure(HttpSecurity http) throws Exception {
     http
     .authenticationProvider(authenticationProvider())
     .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
     .csrf().disable()
     .authorizeRequests()
     .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
     .antMatchers(HttpMethod.GET, "/**").permitAll()
     .antMatchers(HttpMethod.POST, "/**").permitAll()
     .antMatchers(HttpMethod.PUT, "/**").permitAll()
     .antMatchers(HttpMethod.DELETE, "/**").permitAll()
       .anyRequest().authenticated()
       .and()
     .httpBasic();
  }

After that, you have to rebuild the Activiti-Project. Redeploy the war-file and after that, basic auth should be disabled.

Upvotes: 3

Related Questions