WebAdmin Authentication

WebAdmin ships with four authentication modes. Select one with the aseeflow.webadmin.authentication property; each mode activates its own pre-configured Spring Security filter chains for the UI and the REST API.

aseeflow:
  webadmin:
    authentication: basic   # basic | form | oauth2 | keycloak

Choosing a mode

Mode	Best for	Login experience
Basic	Development, internal tools, API clients	Browser HTTP Basic dialog
Form	Production web UIs needing a branded login	Custom login page
OAuth2	Enterprise SSO with any OIDC provider	Redirect to your identity provider
Keycloak	Keycloak SSO with full user/group sync	Redirect to Keycloak

Basic and Form validate credentials against the engine’s Identity Service. OAuth2 and Keycloak delegate authentication to an external identity provider; Keycloak adds an identity provider plugin that synchronizes users and groups into the engine.

Common notes

REST security is enabled by default in every mode. Set aseeflow.webadmin.disable-rest-security: true to leave /engine-rest/** unprotected (for example, when a separate WAR secures it — see Deployment).
The required security dependencies are declared as provided in the starter, so you must add them explicitly in your application. Each mode’s page lists what it needs.
For OAuth2 and Keycloak, the user-name-attribute and group claim settings are critical — they map identity-provider users and groups onto engine user and group IDs that your authorizations rely on.

​Choosing a mode

​Common notes

Choosing a mode

Common notes