Skip to content

feat(engine-rest): add REST authentication provider extensions#2

Draft
hauptmedia wants to merge 1 commit into
mainfrom
backport/discussion-rest-auth-providers
Draft

feat(engine-rest): add REST authentication provider extensions#2
hauptmedia wants to merge 1 commit into
mainfrom
backport/discussion-rest-auth-providers

Conversation

@hauptmedia

@hauptmedia hauptmedia commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

Moved from operaton#3122 to operaton/operaton-backports.

Summary

Backports and adapts CIBSeven's REST authentication provider extensions for Operaton.

This adds two additional authentication modes to the engine REST authentication infrastructure:

  • CompositeAuthenticationProvider: tries JWT bearer authentication first and falls back to HTTP Basic.
  • PseudoAuthenticationProvider: authenticates a user id supplied by a trusted upstream component in the Context-User-ID header.

Operaton Run can now select these providers through operaton.bpm.run.auth.authentication, while keeping basic as the default mode.

What Changed

  • Added CompositeAuthenticationProvider for JWT-first / Basic-fallback authentication.
  • Added JwtTokenAuthenticationProvider using JJWT 0.12.6.
  • Added JwtUser and JWT configuration loading from optional classpath resource operaton-plugins.properties with key authentication.jwtSecret.
  • Added PseudoAuthenticationProvider for trusted-header authentication via Context-User-ID.
  • Extended OperatonBpmRunAuthenticationProperties to accept basic, composite, and pseudo.
  • Updated OperatonBpmRunRestConfiguration to register the selected provider class explicitly.
  • Added JUnit 5/AssertJ tests for composite auth, JWT auth, pseudo auth, Run auth properties, and Run provider registration.

Reviewer Notes

  • This is intentionally not a blind cherry-pick.
  • Operaton keeps HTTP Basic as the default Run authentication mode. CIBSeven changed its default to pseudo auth; this PR does not do that.
  • pseudo must be selected explicitly. Missing or blank Context-User-ID returns an unsuccessful authentication result in Operaton. CIBSeven's later follow-up allowed a missing header through as successful(null); that behavior is not carried over because it would make this trusted-header mode too easy to misconfigure.
  • This PR does not enable new filters in packaged web.xml files. It adds provider classes and Run wiring; deployments that use static web.xml configuration can opt in by setting the authentication provider class themselves.
  • JWT secrets are not shipped with a product default value. The default JWT provider reads authentication.jwtSecret from operaton-plugins.properties if present. In composite mode, missing or invalid JWT configuration simply makes the JWT provider fail and the Basic fallback can still authenticate the request.
  • The CIBSeven multi-engine follow-up mainly changed URL-pattern handling for their Run/web.xml setup. Operaton Run already registers the auth filter on the Jersey REST mapping; the new tests verify provider selection while preserving that existing mapping behavior.
  • Identity/setup whitelist changes are intentionally not part of this PR. They are handled separately in fix(engine-rest): whitelist identity verification endpoint operaton#3108 and feat(engine-rest): whitelist setup and password-policy auth paths #3.
  • For Spring Security OAuth2 resource-server setups, see feat(starter-security): secure engine REST as OAuth2 resource server #1. This PR is for the standalone REST AuthenticationProvider extension point.

Attribution

Backported and adapted from CIB Seven:

Backport Database

  • Change units: 820, 879, 1061
  • Source fork: CIBSeven
  • Target commit: dc739a0420ab13fc499ab8f3a11a4990d25ab889

Verification

  • git diff --check
  • git diff --cached --check
  • ./mvnw -pl engine-rest/engine-rest -Dtest=CompositeAuthenticationProviderTest,JwtTokenAuthenticationProviderTest,PseudoAuthenticationProviderTest,HttpBasicAuthenticationProviderTest test
  • ./mvnw -pl engine-rest/engine-rest -DskipTests install
  • ./mvnw -pl distro/run/core -Dtest=OperatonBpmRunAuthenticationPropertiesTest,OperatonBpmRunRestConfigurationTest test

Backported and adapted from CIB Seven.

Backported commits from the cibseven repository:

- e9a960e34bab7d086123cb859915b447a4197283 feat(auth): implement composite authentication filter with JWT and Http Basic support (operaton#49)

- 86f3b3aa697b4e166a351b6c1cda0fc49fbc610b feat(auth): custom header pseudo authentication (operaton#73)

- 7a646eae13116bb49838df6952abf938ff7071e6 chore(auth): multi engine pseudo authentication filter (operaton#242/operaton#243)

Original author: Oleg Skrypnyuk <oleg.skrypnyuk@cib.de>

Original co-authors include Dmitry Malkovich <dmitry.malkovich@cib.de> and Patrick Fincke <patrick.fincke@cib.de>.

Original PRs:

- cibseven/cibseven#49

- cibseven/cibseven#73

- cibseven/cibseven#243

Operaton adaptations:

- keep HTTP Basic as the default Operaton Run authentication mode

- expose composite and pseudo authentication only as explicit Run auth modes

- keep packaged web.xml authentication examples disabled instead of enabling pseudo authentication by default

- reject missing trusted user headers in PseudoAuthenticationProvider

- use Jakarta APIs, org.operaton package names, and JUnit 5/AssertJ tests
@hauptmedia hauptmedia added lang:java Pull requests that update Java code scope:build Changes affecting the build, e.g. Maven configuration, shell scripts. backport:cibseven Changes backported from cibseven scope:tests Changes affecting only test code feature distro:operaton Issues & changes related to the Operaton standalone distribution api:rest Changes affecting the REST API labels Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

api:rest Changes affecting the REST API backport:cibseven Changes backported from cibseven distro:operaton Issues & changes related to the Operaton standalone distribution feature lang:java Pull requests that update Java code scope:build Changes affecting the build, e.g. Maven configuration, shell scripts. scope:tests Changes affecting only test code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant