Skip to main content
WebAdmin supports two deployment models: an embedded Spring Boot JAR (the starter) and a WAR for traditional servlet containers.

Spring Boot JAR

Add the starter to a Spring Boot application and package it: 
mvn clean package
java -jar target/my-app-1.0.0.jar
WebAdmin is served at http://localhost:8080/webadmin (or your configured base-path). In this model a single application contains both the WebAdmin UI and the engine REST endpoints, so REST security is typically left enabled (disable-rest-security: false).

WAR for Tomcat / WildFly

The aseeflow-webadmin-war module produces a WAR for servlet containers where the container manages the context path. It is also used by the ASEE Flow BPM platform distributions. 
mvn clean package      # target/aseeflow-webadmin-war-<version>.war
mvn deploy             # publish to the Maven repository
The WAR filename determines the context pathwebadmin.war is served at /webadmin.

Default WAR configuration

aseeflow:
  webadmin:
    authentication: form
    base-path: ""                       # container provides the context path
    disable-rest-security: true
    engine-rest-proxy-enabled: false    # enable for OAuth2 token forwarding
    engine-rest-client-url: engine-rest # UI calls /engine-rest directly
    show-swagger: false
    show-legacy-apps: false
Why these defaults differ from a standalone JAR:
PropertyWAR defaultWhy
base-path""The container sets the context path from the WAR name; with an empty base path the UI can call /engine-rest directly.
disable-rest-securitytrueEngine REST is a separate WAR with its own security; the WebAdmin WAR must not try to secure endpoints it doesn’t contain.
engine-rest-proxy-enabledfalseDirect calls work for Basic/Form auth; enable the proxy only for OAuth2/Keycloak token forwarding.
show-swaggerfalseSwagger is deployed as a separate WAR; a link here would 404.
show-legacy-appsfalseThe legacy web apps are separate WARs under /camunda; links here would 404.

Two WARs, two security configs

A traditional deployment has a WebAdmin WAR (at /webadmin) and a separate Engine REST WAR (at /engine-rest). Each manages its own security, so disable-rest-security: true tells the WebAdmin starter not to secure /engine-rest/** — those endpoints live in the other WAR. Setting it to false would make WebAdmin try to secure endpoints that aren’t part of its deployment, causing conflicts.

Enabling the proxy for OAuth2 / Keycloak

When REST and WebAdmin are separate WARs and you use OAuth2 or Keycloak, enable the proxy so the access token is propagated from the WebAdmin session to the engine REST API: 
aseeflow:
  webadmin:
    authentication: oauth2              # or keycloak
    base-path: ""
    disable-rest-security: true
    engine-rest-proxy-enabled: true     # enable the proxy
    engine-rest-client-url: api/engine-rest   # UI calls the proxy
    engine-rest-server-url: /engine-rest      # proxy forwards here

JAR vs. WAR at a glance

AspectSpring Boot JARWAR
Context pathaseeflow.webadmin.base-pathContainer (WAR filename)
Configurationapplication.yaml / .propertiesContainer-specific (e.g. setenv.sh, standalone.xml)
REST securityUsually enabledUsually disabled — Engine REST WAR secures itself
TopologySingle applicationWebAdmin WAR + Engine REST WAR