Spring Boot Security

Hello. When i started using spring boot flowable. My default spring security was overriten by engine. My authorizationManager of application can not sign in users now. I can not figure out where is the problem exactly.
I used to use activiti bpm and added these code to fix problem and i succeded:

@EnableAutoConfiguration(exclude = {
** org.activiti.spring.boot.RestApiAutoConfiguration.class,**
** org.activiti.spring.boot.SecurityAutoConfiguration.class})**
public class SpringPlatformApplication {

Then i just changed namespaces. Though now i have a problem with flowable bpm. Could somebody please help.

1 Like

Anybody can help me? My authorization is broken due to spring boot flowable.


Can you explain in more details what you’re trying to do?



Hello. Well i have a project in spring boot and i have my own spring security CustomUserDetails class in it. As far as i understand flowable also has it’s own spring security and when i run my project i can no longer authenticate user through spring security AuthenticationManager class (http://docs.spring.io/autorepo/docs/spring-security/3.2.9.RELEASE/apidocs/org/springframework/security/authentication/AuthenticationManager.html). Though my authentication worked fine before i added flowable bpm to project. But i do need to use bpm in project. So i need urgent help.

You mentioned that using

@EnableAutoConfiguration(exclude = {
**	org.activiti.spring.boot.RestApiAutoConfiguration.class,**
**	org.activiti.spring.boot.SecurityAutoConfiguration.class})**

it worked.
So changing that to

@EnableAutoConfiguration(exclude = {
**	org.flowable.spring.boot.RestApiAutoConfiguration.class,**
**	org.flowable.spring.boot.SecurityAutoConfiguration.class})**

does not work?

Yes indeed. Could you try it. Guys, i think you should test spring boot flowable more careful. It has many bugs.
By the way:
My project even not started with spring boot flowable.
Earlier i created issue in github, there are was a problem with slf4j. That issue was resolved by Tijs.
So, i removed flowable-spring-boot-rest-api dependency.
Finally, i only included flowable-spring-boot-basic dependency.

Now, my users can not authorize due to flowable bpm.
I hope you will fix the bug.


As you know we want to make it really easy to use all modules of the Flowable project including the Spring boot modules. But we really need detailed input about your project to be able to reproduce your issue. Making a statement like “It has many bugs” is not really helping. Point us at these bugs with good explanations and we’ll try our best to fix it.

In this specific case, which Flowable modules are you using exactly? Excluding “org.flowable.spring.boot.SecurityAutoConfiguration.class” doesn’t make any difference? Do you see the Flowable SecurityAutoConfiguration being instantiated in the logging?

Best regards,


Hi Tijs. I agree. Excuse me. Currently i can only say that i use Flowable Spring Boot Starter Basic, Flowable Spring Boot Starter Jpa. Unfortunately other details can be provided tomorrow, because i am not at work place this time. I will give feedback as soon as possible.

Hello. Finally i figured out what was the problem. I started debugging my application and i noticed that when i execute
Authentication auth = authenticationManager.authenticate(usernamePasswordAuthenticationToken); in my class

it goes into flowable class IdentityServiceUserDetailsService and calls loadUserByUsername. However i have my own class CustomUserDetailsService which implements UserDetailsService and has loadUserByUsername method.
To summ up, flowable class called insted of mine.

I attached some screens. Could you please fix the bug or help. We are going into production.


Ok. But coming back to excluding RestApiAutoConfiguration and SecurityAutoConfiguration, that should prevent the Flowable UserDetailsService from being used. Can you check if the Flowable SecurityAutoConfiguration is loaded somehow?

Best regards,


Hello. Well it is not called. I put debug point to check it. However, I solved problem by addind this to my class

public class SecurityConfig extends WebSecurityConfigurerAdapter {

@javax.annotation.Resource(name = “customUserDetailsService”)
private UserDetailsService customUserDetailsService;

protected UserDetailsService userDetailsService() {
   return customUserDetailsService;


Though we excluded SecurityAutoConfiguration, but i guess it is still somehow affects.
However if you have better approach, you are welcome. Later, i think we need to use flowable rest api, because we have our custom flowable bpm admin ui application. Not sure, what problem we will face, because we excluded rest api configuration, which is really sad.

Hi ,
In which class these things to be excluded