Permit OPTIONS calls without HTTP Basic Auth


I am looking to permit the OPTIONS calls to the Flowable REST server so as to make cross domain requests (my Flowable server is hosted on a different domain) to this server.

I figured this change in the source code could help, but it is not doing the job. Is there something amiss in my configuration?

index 2a529f3..9a073cd 100644
--- a/modules/flowable-app-rest/src/main/java/org/flowable/rest/conf/
+++ b/modules/flowable-app-rest/src/main/java/org/flowable/rest/conf/
@@ -10,6 +10,7 @@ import;
+import org.springframework.http.HttpMethod;
@@ -35,12 +36,14 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
         if (swaggerDocsEnable) {
+                   .antMatchers(HttpMethod.OPTIONS, "/flowable-task/process-api/**").permitAll()
         } else {
+                   .antMatchers(HttpMethod.OPTIONS, "/flowable-task/process-api/**").permitAll()

From a first glance, that seems to be ok. Are you sure the changes are picked up?
Did you put spring security on debug log level … if so, what happens for such a request?

Not sure about this; but shouldn’t the antMatcher be without the web app context; so without ‘/flowable-task’ ?

Hi @joram,
How do I go about doing this in Flowable? I inserted in /webapps/flowable-rest/WEB-INF/classes/ file, restarted the Tomcat service. I don’t see any debug information related to Spring security.

Hello @yvo,
No, that did not do the trick.

Hi @horsey,

i was looking at your diff.
Can you explain what you’re trying to do? And in what app(s)?
The class your modifying is part of the flowable-rest-app. But you’re referring ‘/flowable-task’. This mapping is not present in the Flowable REST APP. This is part of the Flowable Task UI APP.

Take a look here to see how the REST APIs are mapped in the REST APP.

The mapping you’re using seems to be one used in the TASK UI APP. The same APIs are exposed in here; but with a different mapping.



Hello @yvo,
In a sentence: I want to be able to allow cross origin requests to my Flowable server hosted on a different domain. This means that HTTP OPTIONS verb should be allowed without any Basic Authentication.

I am using /flowable-task based on the file present in the flowable-admin app - which says Default REST endpoint config. This obviously seems to be the source of the problem.

I changed the URI to /service/process-api/query/process-instances and the the code change that I made works now.

# Process engine Process app Process REST config

# DMN engine DMN app DMN REST config

# Form engine Form app Form REST config

# Content engine Content app Content REST config