Getting HTTP/1.1 401 when deleting a deployment over rest

I’m working on a Spring Boot (v2.0.3.RELEASE) application. The applications has the org.flowable:flowable-spring-boot-starter-rest:6.3.1 & org.springframework.boot:spring-boot-starter-security dependencies.

Programatically, I can create deployments, start my processes etc.

What I’m trying to achieve now, is to be able to manage my deployments using the flowable rest api.

Querying deployments work fine (curl -X GET http://admin:test@localhost:9090/process-api/repository/deployments/) but deleting returns a HTTP/1.1 401. E.g Unauthorised. I have also tried to link the Flowable admin webapp (deployed on a separate server) to my spring boot application with the same result.

This is what my security configuration currently looks like:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class& SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
        .inMemoryAuthentication()
        .withUser("admin")
        .password("test")
        .authorities(
            new SimpleGrantedAuthority(SecurityConstants.ACCESS_ADMIN),
            new SimpleGrantedAuthority(SecurityConstants.PRIVILEGE_ACCESS_REST_API)
        );
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeRequests()
        .anyRequest()
        .authenticated()
        .and()
        .httpBasic();
    }
}

Reason for adding the SecurityConstants.PRIVILEGE_ACCESS_REST_API & SecurityConstants.ACCESS_ADMIN authorities was pretty much a guess and might be wrong?

I implemented a simple @RestController to test that I actually have the two authorities by adding the @PreAuthorize(“hasAnyAuthority(‘access-rest-api’)”) to my rest methods.

I want to manage my users myself. E.g not let Flowable to it as the users & roles will later be kept in Keycloak. Keycloak is out of the scope for the moment. So as long as I can get this working using my inMemoryAuthentication working I’m happy.

So, steps needs to be taken to make Flowable rest api work in my application? Links to any examples would really help.

Thanks!

Have you taken a look into Flowable spring boot examples ? Maybe you are missing specifying the authentication provider?

Thanks for your response.

I have looked at this example but can’t really map it to my code. In the example, you’re populating the IdmIdentityService with users, groups and privileges.

I did some debugging and found this:

curl -X GET http://admin:test@localhost:9090/process-api/repository/deployments/

That runs fine. Without the authentication (admin:test) I get (as expected)

2018-09-24 15:08:50.131 DEBUG 7194 --- [nio-9090-exec-7] o.s.s.w.a.ExceptionTranslationFilter     : Access is denied (user is anonymous); redirecting to authentication entry point

org.springframework.security.access.AccessDeniedException: Access is denied

But running when running (with credentials)

curl -I -X DELETE http://admin:test@localhost:9090/process-api/repository/deployments/842acc0e-bce5-11e8-8a67-d6074f26d34d

I get:

2018-09-24 15:10:38.897 DEBUG 7194 --- [nio-9090-exec-1] o.s.s.w.a.ExceptionTranslationFilter     : Access is denied (user is anonymous); redirecting to authentication entry point

org.springframework.security.access.AccessDeniedException: Access is denied

What I don’t understand is why it says “user is anonymous” in the DELETE case, but not in the GET case?

Hi,

Did you try to execute the DELETE call with a HTTP tool like Postman as well?
Because the exception that “Access is Denied” looks like a problem with authenticating the request for some reason. It should work fine when using the admin / test credentials.

Best regards,

Tijs

I have not tried with Postman. But I have tried using the Flowable Admin app. E.g point it to my application. It is able to list my deployments, but not deleting them. I get a 401 in Flowable Admin as well.

I doubt it’s the authentication that is the problem. As I wrote above, calling the GET process-api/repository/deployments without username/password returns the same error.

I just did some more testing and removed all Spring Security related code and removed the credentials making the DELETE call. That worked. E.g I didn’t get any errors and the deployment was deleted.

This is confusing…

By default Spring Security enables csrf so if you add .csrf().disable() to your configuration DELETE and POST would work. CSRF allows get calls without the special cookie, but it doesn’t allow DELETE or POST

Thanks! That did the trick!