Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

401 - Unauthorized after successfull login

See original GitHub issue

Hello 😃

I have setup my Camunda project with Keycloak. It is working fine, but if I want to secure my Rest-Api I am getting an error. When I am trying to access the “/engine-rest/**” path, I am getting the following error:

[2020-09-07T14:33:11.011Z] [org.springframework.security.oauth2.provider.authentication.BearerTokenExtractor] [http-nio-8080-exec-8] [61] [DEBUG] Token not found in request parameters.  Not an OAuth2 request.
[2020-09-07T14:33:11.011Z] [org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter] [http-nio-8080-exec-8] [145] [DEBUG] No token in request, will continue chain.
[2020-09-07T14:33:11.011Z] [org.springframework.security.web.FilterChainProxy$VirtualFilterChain] [http-nio-8080-exec-8] [328] [DEBUG] /engine-rest/engine at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[2020-09-07T14:33:11.011Z] [org.springframework.security.web.FilterChainProxy$VirtualFilterChain] [http-nio-8080-exec-8] [328] [DEBUG] /engine-rest/engine at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[2020-09-07T14:33:11.011Z] [org.springframework.security.web.FilterChainProxy$VirtualFilterChain] [http-nio-8080-exec-8] [328] [DEBUG] /engine-rest/engine at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[2020-09-07T14:33:11.011Z] [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] [http-nio-8080-exec-8] [100] [DEBUG] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@51722761: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A0D442959B5FC57BDDD6D37CDE20E28B; Granted Authorities: ROLE_ANONYMOUS'
[2020-09-07T14:33:11.011Z] [org.springframework.security.web.FilterChainProxy$VirtualFilterChain] [http-nio-8080-exec-8] [328] [DEBUG] /engine-rest/engine at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
[2020-09-07T14:33:11.011Z] [org.springframework.security.web.FilterChainProxy$VirtualFilterChain] [http-nio-8080-exec-8] [328] [DEBUG] /engine-rest/engine at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[2020-09-07T14:33:11.011Z] [org.springframework.security.web.FilterChainProxy$VirtualFilterChain] [http-nio-8080-exec-8] [328] [DEBUG] /engine-rest/engine at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[2020-09-07T14:33:11.011Z] [org.springframework.security.access.intercept.AbstractSecurityInterceptor] [http-nio-8080-exec-8] [219] [DEBUG] Secure object: FilterInvocation: URL: /engine-rest/engine; Attributes: [#oauth2.throwOnError(authenticated)]
[2020-09-07T14:33:11.011Z] [org.springframework.security.access.intercept.AbstractSecurityInterceptor] [http-nio-8080-exec-8] [348] [DEBUG] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@51722761: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A0D442959B5FC57BDDD6D37CDE20E28B; Granted Authorities: ROLE_ANONYMOUS
[2020-09-07T14:33:11.011Z] [org.springframework.security.access.vote.AffirmativeBased] [http-nio-8080-exec-8] [66] [DEBUG] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@27571df3, returned: -1
[2020-09-07T14:33:11.011Z] [org.springframework.security.web.access.ExceptionTranslationFilter] [http-nio-8080-exec-8] [180] [DEBUG] **Access is denied (user is anonymous);** redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:180)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter(OAuth2ClientContextFilter.java:64)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1594)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:834)

It seems that the granted role is only anonymous and that is why the user cannot access the rest-api. But I have no idea to change this, could you please help me?

My Application.yml looks exactly like the showcase and I configured my keycloak server exactly as described in the showcase.

Thanks in advance 😃

Issue Analytics

State:
Created 3 years ago
Comments:9

Top GitHub Comments

2reactions

VonDerBeckcommented, Sep 8, 2020

Hi @MarvinKern,

what exactly do you mean by “tasklist plugin”? In case you mean a plugin for the Camunda Cockpit or Camunda Tasklist application: why do you use the “external” REST Api of Camunda on not the internal one of the Cockpit/Tasklist?

The REST Api under …/engine-rest/** is for external usage, e.g. in case you’re going to write your own tasklist in whatever technology you like. In that case you will have to authorize against keycloak and get a token. The URL for that will be something like <host:port>/auth/realms/camunda/protocol/openid-connect/token, more info on that is to be found in the Keycloak documentation.

0reactions

MarvinKerncommented, Sep 14, 2020

Hi @VonDerBeck , I tried to follow one Cockpit Plugin example on https://github.com/camunda/camunda-bpm-examples/tree/master/cockpit/cockpit-fullstack-count-processes. The AbstractCockpitPlugin class has a getMappingFiles() method that allows to map the database variables to the java variables to have access in the plugin to the database. However the AbstractTasklistPlugin does not provide such method. Now I am really not sure how to realize the tasklist plugin with the internal API. The tasklist plugin examples on https://github.com/camunda/camunda-bpm-examples/tree/master/tasklist does not really offer that much information that I need… Do you have some other hints and links for me?

Thank you very much 👍