feat(engine-rest): add REST authentication provider extensions#2
Draft
hauptmedia wants to merge 1 commit into
Draft
feat(engine-rest): add REST authentication provider extensions#2hauptmedia wants to merge 1 commit into
hauptmedia wants to merge 1 commit into
Conversation
Backported and adapted from CIB Seven. Backported commits from the cibseven repository: - e9a960e34bab7d086123cb859915b447a4197283 feat(auth): implement composite authentication filter with JWT and Http Basic support (operaton#49) - 86f3b3aa697b4e166a351b6c1cda0fc49fbc610b feat(auth): custom header pseudo authentication (operaton#73) - 7a646eae13116bb49838df6952abf938ff7071e6 chore(auth): multi engine pseudo authentication filter (operaton#242/operaton#243) Original author: Oleg Skrypnyuk <oleg.skrypnyuk@cib.de> Original co-authors include Dmitry Malkovich <dmitry.malkovich@cib.de> and Patrick Fincke <patrick.fincke@cib.de>. Original PRs: - cibseven/cibseven#49 - cibseven/cibseven#73 - cibseven/cibseven#243 Operaton adaptations: - keep HTTP Basic as the default Operaton Run authentication mode - expose composite and pseudo authentication only as explicit Run auth modes - keep packaged web.xml authentication examples disabled instead of enabling pseudo authentication by default - reject missing trusted user headers in PseudoAuthenticationProvider - use Jakarta APIs, org.operaton package names, and JUnit 5/AssertJ tests
This was referenced Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backports and adapts CIBSeven's REST authentication provider extensions for Operaton.
This adds two additional authentication modes to the engine REST authentication infrastructure:
CompositeAuthenticationProvider: tries JWT bearer authentication first and falls back to HTTP Basic.PseudoAuthenticationProvider: authenticates a user id supplied by a trusted upstream component in theContext-User-IDheader.Operaton Run can now select these providers through
operaton.bpm.run.auth.authentication, while keepingbasicas the default mode.What Changed
CompositeAuthenticationProviderfor JWT-first / Basic-fallback authentication.JwtTokenAuthenticationProviderusing JJWT 0.12.6.JwtUserand JWT configuration loading from optional classpath resourceoperaton-plugins.propertieswith keyauthentication.jwtSecret.PseudoAuthenticationProviderfor trusted-header authentication viaContext-User-ID.OperatonBpmRunAuthenticationPropertiesto acceptbasic,composite, andpseudo.OperatonBpmRunRestConfigurationto register the selected provider class explicitly.Reviewer Notes
pseudomust be selected explicitly. Missing or blankContext-User-IDreturns an unsuccessful authentication result in Operaton. CIBSeven's later follow-up allowed a missing header through assuccessful(null); that behavior is not carried over because it would make this trusted-header mode too easy to misconfigure.web.xmlfiles. It adds provider classes and Run wiring; deployments that use static web.xml configuration can opt in by setting the authentication provider class themselves.authentication.jwtSecretfromoperaton-plugins.propertiesif present. In composite mode, missing or invalid JWT configuration simply makes the JWT provider fail and the Basic fallback can still authenticate the request.AuthenticationProviderextension point.Attribution
Backported and adapted from CIB Seven:
Backport Database
820,879,1061dc739a0420ab13fc499ab8f3a11a4990d25ab889Verification
git diff --checkgit diff --cached --check./mvnw -pl engine-rest/engine-rest -Dtest=CompositeAuthenticationProviderTest,JwtTokenAuthenticationProviderTest,PseudoAuthenticationProviderTest,HttpBasicAuthenticationProviderTest test./mvnw -pl engine-rest/engine-rest -DskipTests install./mvnw -pl distro/run/core -Dtest=OperatonBpmRunAuthenticationPropertiesTest,OperatonBpmRunRestConfigurationTest test