[2780] added JWT validation to Camunda admin console (#1826)

* added jwt validation

* added config

forms-flow-bpm/forms-flow-bpm-camunda/pom.xml

@@ -352,6 +352,13 @@
             <version>${version.commonsFileUpload}</version>
         </dependency>
 
+        <!-- https://mvnrepository.com/artifact/org.camunda.bpm.extension/camunda-platform-7-keycloak-jwt -->
+        <dependency>
+            <groupId>org.camunda.bpm.extension</groupId>
+            <artifactId>camunda-platform-7-keycloak-jwt</artifactId>
+            <version>7.20.0</version>
+        </dependency>
+
     </dependencies>
 
     <build>

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/keycloak/sso/KeycloakCockpitPlugin.java

@@ -0,0 +1,10 @@
+package org.camunda.bpm.extension.keycloak.sso;
+
+import org.camunda.bpm.extension.keycloak.config.KeycloakCockpitConfiguration;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.stereotype.Component;
+
+@Component
+@ConfigurationProperties(prefix="plugin.cockpit.keycloak")
+public class KeycloakCockpitPlugin extends KeycloakCockpitConfiguration {
+}

forms-flow-bpm/forms-flow-bpm-camunda/src/main/java/org/camunda/bpm/extension/keycloak/sso/OAuth2LoginSecurityConfig.java

@@ -1,9 +1,12 @@
 package org.camunda.bpm.extension.keycloak.sso;
 
 import jakarta.inject.Inject;
+import org.camunda.bpm.extension.keycloak.config.KeycloakCockpitConfiguration;
+import org.camunda.bpm.extension.keycloak.config.KeycloakConfigurationFilterRegistrationBean;
 import org.camunda.bpm.extension.keycloak.rest.AudienceValidator;
 import org.camunda.bpm.extension.keycloak.rest.KeycloakAuthenticationFilter;
 import org.camunda.bpm.extension.keycloak.rest.RestApiSecurityConfigurationProperties;
+import org.camunda.bpm.spring.boot.starter.property.CamundaBpmProperties;
 import org.camunda.bpm.webapp.impl.security.auth.ContainerBasedAuthenticationFilter;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
@@ -62,6 +65,12 @@ public class OAuth2LoginSecurityConfig  {
 	@Inject
 	private OAuth2AuthorizedClientService clientService;
 
+	@Inject
+	private CamundaBpmProperties camundaBpmProperties;
+
+	@Inject
+	private KeycloakCockpitConfiguration keycloakCockpitConfiguration;
+
 	@Bean
 	@Order(1)
 	public SecurityFilterChain httpSecurityFilterChain(HttpSecurity http, JwtDecoder jwtDecoder) throws Exception {
@@ -180,4 +189,11 @@ public RequestContextListener requestContextListener() {
 		return new RequestContextListener();
 	}
 
+	@Bean
+	public FilterRegistrationBean cockpitConfigurationFilter() {
+		return new KeycloakConfigurationFilterRegistrationBean(
+				keycloakCockpitConfiguration,
+				camundaBpmProperties.getWebapp().getApplicationPath()
+		);
+	}
 }

forms-flow-bpm/forms-flow-bpm-camunda/src/main/resources/META-INF/resources/webjars/camunda/app/admin/scripts/config.js

@@ -26,6 +26,7 @@ window.camAdminConf = {
 
 export default {
     customScripts: [
-        'custom/logout'
+        'custom/logout',
+		'../identity-keycloak/scripts/identity-keycloak-auth.js'
     ]
 };

forms-flow-bpm/forms-flow-bpm-camunda/src/main/resources/META-INF/resources/webjars/camunda/app/cockpit/scripts/config.js

@@ -37,7 +37,8 @@ export default {
         'custom/logout',
         'scripts/definition-historic-activities.js',
         'scripts/instance-historic-activities.js',
-        'scripts/instance-route-history.js'
+        'scripts/instance-route-history.js',
+		'../identity-keycloak/scripts/identity-keycloak-auth.js'
     ],
     disableWelcomeMessage: true,
     // userOperationLogAnnotationLength: 5000,

forms-flow-bpm/forms-flow-bpm-camunda/src/main/resources/META-INF/resources/webjars/camunda/app/tasklist/scripts/config.js

@@ -26,7 +26,8 @@ window.camTasklistConf = {
 
 export default {
     customScripts: [
-        'custom/logout'
+        'custom/logout',
+		'../identity-keycloak/scripts/identity-keycloak-auth.js'
     ]
 };
 

forms-flow-bpm/forms-flow-bpm-camunda/src/main/resources/META-INF/resources/webjars/camunda/app/welcome/scripts/config.js

@@ -26,6 +26,7 @@ window.camWelcomeConf = {
 
 export default {
     customScripts: [
-        'custom/logout'
+        'custom/logout',
+		'../identity-keycloak/scripts/identity-keycloak-auth.js'
     ]
 };

forms-flow-bpm/forms-flow-bpm-camunda/src/main/resources/application.yaml

@@ -53,12 +53,16 @@ camunda.bpm:
       enable-secure-cookie: ${SESSION_COOKIE_SECURE:true}
     header-security:
       content-security-policy-disabled: false
-      content-security-policy-value:  base-uri 'self';
-        img-src 'self' data:;
-        block-all-mixed-content;
-        form-action 'self';
-        frame-ancestors 'none';
-        object-src 'none'
+      content-security-policy-value:  "base-uri 'self';
+                                      script-src $NONCE 'strict-dynamic' 'unsafe-eval' https: 'self' 'unsafe-inline';
+                                      style-src 'unsafe-inline' 'self';
+                                      connect-src ${keycloak.url} 'self';
+                                      default-src 'self';
+                                      img-src 'self' data:;
+                                      block-all-mixed-content;form-action 'self';
+                                      frame-ancestors 'none';object-src 'none';
+                                      sandbox allow-forms allow-scripts allow-same-origin allow-popups allow-downloads"
+
 
   generic-properties:
     properties:
@@ -110,6 +114,15 @@ spring:
   main:
     allow-bean-definition-overriding: true
 
+# Keycloak JWT Client configuration
+keycloak.jwt.realm: ${KEYCLOAK_URL_REALM}
+keycloak.jwt.client.id: camunda-jwt
+
+# Camunda Cockpit JWT Plugin
+plugin.cockpit.keycloak:
+  keycloakUrl: ${keycloak.url}/auth
+  realm: ${keycloak.jwt.realm}
+  clientId: ${keycloak.jwt.client.id}
 
 # Camunda Rest API
 rest.security: