Permit OPTIONS calls without HTTP Basic Auth

Flowable Engine
1

Hello,

I am looking to permit the OPTIONS calls to the Flowable REST server so as to make cross domain requests (my Flowable server is hosted on a different domain) to this server.

I figured this change in the source code could help, but it is not doing the job. Is there something amiss in my configuration?

index 2a529f3..9a073cd 100644
--- a/modules/flowable-app-rest/src/main/java/org/flowable/rest/conf/SecurityConfiguration.java
+++ b/modules/flowable-app-rest/src/main/java/org/flowable/rest/conf/SecurityConfiguration.java
@@ -10,6 +10,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.http.HttpMethod;
 
 @Configuration
 @EnableWebSecurity
@@ -35,12 +36,14 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
         if (swaggerDocsEnable) {
             httpSecurity
                     .authorizeRequests()
+                   .antMatchers(HttpMethod.OPTIONS, "/flowable-task/process-api/**").permitAll()
                     .antMatchers("/docs/**").permitAll()
                     .anyRequest()
                     .authenticated().and().httpBasic();
         } else {
             httpSecurity
                     .authorizeRequests()
+                   .antMatchers(HttpMethod.OPTIONS, "/flowable-task/process-api/**").permitAll()
                     .antMatchers("/docs/**").denyAll()
                     .anyRequest()
                     .authenticated().and().httpBasic();
2

From a first glance, that seems to be ok. Are you sure the changes are picked up?
Did you put spring security on debug log level … if so, what happens for such a request?

3

Not sure about this; but shouldn’t the antMatcher be without the web app context; so without ‘/flowable-task’ ?

4

Hi @joram,
How do I go about doing this in Flowable? I inserted
log4j.logger.org.springframework.security=DEBUG in /webapps/flowable-rest/WEB-INF/classes/log4j.properties file, restarted the Tomcat service. I don’t see any debug information related to Spring security.

5

Hello @yvo,
No, that did not do the trick.

6

Hi @horsey,

i was looking at your diff.
Can you explain what you’re trying to do? And in what app(s)?
The class your modifying is part of the flowable-rest-app. But you’re referring ‘/flowable-task’. This mapping is not present in the Flowable REST APP. This is part of the Flowable Task UI APP.

Take a look here to see how the REST APIs are mapped in the REST APP.

The mapping you’re using seems to be one used in the TASK UI APP. The same APIs are exposed in here; but with a different mapping.

Regards,

Yvo

7

Hello @yvo,
In a sentence: I want to be able to allow cross origin requests to my Flowable server hosted on a different domain. This means that HTTP OPTIONS verb should be allowed without any Basic Authentication.

I am using /flowable-task based on the flowable-ui-app.properties file present in the flowable-admin app - which says Default REST endpoint config. This obviously seems to be the source of the problem.

I changed the URI to /service/process-api/query/process-instances and the the code change that I made works now.

#
# Process engine
rest.process.app.name=Flowable Process app
rest.process.app.description=Flowable Process REST config
rest.process.app.host=https://host
rest.process.app.port=8443
rest.process.app.contextroot=flowable-task
rest.process.app.restroot=process-api
rest.process.app.user=admin
rest.process.app.password=test

# DMN engine
rest.dmn.app.name=Flowable DMN app
rest.dmn.app.description=Flowable DMN REST config
rest.dmn.app.host=https://host
rest.dmn.app.port=8443
rest.dmn.app.contextroot=flowable-task
rest.dmn.app.restroot=dmn-api
rest.dmn.app.user=admin
rest.dmn.app.password=test

# Form engine
rest.form.app.name=Flowable Form app
rest.form.app.description=Flowable Form REST config
rest.form.app.host=https://host
rest.form.app.port=8443
rest.form.app.contextroot=flowable-task
rest.form.app.restroot=form-api
rest.form.app.user=admin
rest.form.app.password=test

# Content engine
rest.content.app.name=Flowable Content app
rest.content.app.description=Flowable Content REST config
rest.content.app.host=https://host
rest.content.app.port=8443
rest.content.app.contextroot=flowable-task
rest.content.app.restroot=content-api
rest.content.app.user=admin
rest.content.app.password=test