How to bypass flowable-admin login restrictions

Flowable Engine
1

hello,I want to customize flowable-admin,I need to bypass login restrictions
,what should I do?

2

Hi,

you could create your own Spring Security configuration.
F.e. something like this;

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().anyRequest().permitAll();
    }
}

Regards,

Yvo

1 Like
3

Hello,thank you for your reply,but there still some problems.After I add this,it run normally,but I still can’t bypass.
This is related log.
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.boot.web.servlet.filter.OrderedRequestContextFilter - Bound request context to thread: org.apache.catalina.connector.RequestFacade@f7ac61e
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : ‘/’; against ‘/actuator/**’
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - / at position 1 of 11 in additional filter chain; firing Filter: ‘WebAsyncManagerIntegrationFilter’
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - / at position 2 of 11 in additional filter chain; firing Filter: ‘SecurityContextPersistenceFilter’
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - / at position 3 of 11 in additional filter chain; firing Filter: ‘HeaderWriterFilter’
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - / at position 4 of 11 in additional filter chain; firing Filter: ‘LogoutFilter’
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern=’/app/logout’, GET]
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : ‘/’; against ‘/app/logout’
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern=’/app/logout’, POST]
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request ‘GET /’ doesn’t match ‘POST /app/logout
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern=’/app/logout’, PUT]
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request ‘GET /’ doesn’t match ‘PUT /app/logout
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - Trying to match using Ant [pattern=’/app/logout’, DELETE]
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request ‘GET /’ doesn’t match 'DELETE /app/logout
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.util.matcher.OrRequestMatcher - No matches found
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - / at position 5 of 11 in additional filter chain; firing Filter: ‘FlowableCookieFilter’
13:51:53.744 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@5f0e9155
13:51:53.745 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
13:51:53.745 [http-nio-9988-exec-3] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
13:51:53.745 [http-nio-9988-exec-3] DEBUG org.springframework.boot.web.servlet.filter.OrderedRequestContextFilter - Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@f7ac61e

4

hello,can you help me analysis this? thank you so much.

5

Hi,

It seems you still have the Flowable security configuration active.
Did you replace or remove the current SecurityConfiguration ?

In addition to that you need to edit the app.js because it will call a account REST service.

You will need to replace

        		$http.get('/app/rest/account')
		        	.success(function (data, status, headers, config) {
		              	$rootScope.account = data;
		               	$rootScope.authenticated = true;
		               	$rootScope.loadServerConfig(false);
		          	});

with

                $rootScope.authenticated = true;
                $rootScope.loadServerConfig(false);

Hope this helps.

Yvo

1 Like
6

thank you,after I change both of this ,and remove default security configuration.It works successfully

7

Hi,

1.Where exactly does the SecurityConfiguration class needs to be deployed if I have the WAR files deployed in a local tomcat server to be overriden?
2.In similar terms what changes are required if I need to bypass the security / login page in flowable-modeler?

Thanks in advance

8

did you solve your issue?

this is my security config

        http
                .authorizeRequests()
                .antMatchers("/actuator/**").permitAll().and()
                .csrf().ignoringAntMatchers("/app/**").and()
                .authorizeRequests(
                        authorizeRequests ->
                                authorizeRequests
                                        .antMatchers("/*-api/**", , "/app/**").permitAll()  // would get 401 on engines in admin panel without this????
                                        .anyRequest()
                                        .authenticated()
                )
                .oauth2Login(oauthLogin -> oauthLogin.permitAll())  //redirect to login if no token or session is provided
                .oauth2ResourceServer().jwt();

        http.logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/app/logout"))
                .logoutSuccessHandler(keycloakLogoutHandler);

I know it doesn’t make much sense this config but at least I can see see and use all ui components with this on my local but on dev I get
angular.js:9827 GET <my-prod-url>/app/rest/account 500

anyone know how to solve this?

9

I’m not sure… but could it be that you’re removing the need for logging in; but the /app/rest/account (which will try to fetch the logged in user) endpoint is still invoked?
When doing modifications like removing the need for logging in; perhaps some additional modifications are needed. Because the UI does not support this use case by default.

Did you look at the previous replies in this topic? About replacing the js bit?

Also; it helps providing more info. Especially in old topics. What version are you on? What does the stack trace contain. Etc.

Yvo