DigitalState · miguelblcfigueira · May 31, 2021
diff --git a/README.md b/README.md
@@ -15,10 +15,14 @@ This provider is added into the Camunda's engine-rest application which is the R
 
 A Servlet Filter is added into the engine-rest app which will process requests in the JWT Authentication provider.
 
-Two initialization parameters of the filter are provided for easy customization:
+The following initialization parameters are provided for easy customization of the filter:
 
 1. `jwt-secret-path` : The file path to a file containing the JWT secret used to decode/validate the JWT.  The value can be null if you get your secret from a different source.
-1. `jwt-validator` : The fully qualified class name of the class that will validate the JWT.
+2. `jwt-validator` : The fully qualified class name of the class that will validate the JWT.
+3. `excluded-urls` (optional) : Comma-separated list of paths to be excluded from the filter. 
+
+    - If `/path` is excluded, all paths under `/path` will also be excluded. 
+    - If `/path/` (with trailing slash) is listed, only the paths under it are excluded.
 
 It is expected that the JWT is using the standard `Authorization` header with the format `Bearer theJwtTokenHere` 
 

diff --git a/...vy/io/digitalstate/camunda/authentication/jwt/ProcessEngineAuthenticationFilterJwt.groovy b/...vy/io/digitalstate/camunda/authentication/jwt/ProcessEngineAuthenticationFilterJwt.groovy
@@ -52,9 +52,11 @@ public class ProcessEngineAuthenticationFilterJwt implements Filter {
     public static final String AUTHENTICATION_PROVIDER_PARAM = "authentication-provider";
     public static final String JWT_SECRET_PATH_PARAM = "jwt-secret-path";
     public static final String JWT_VALIDATOR_PARAM = "jwt-validator";
+    public static final String EXCLUDED_URLS_PARAM = "excluded-urls";
     private static String jwtSecretPath
     private static String jwtValidator
     private static Class<?> jwtValidatorClass
+    private static List<String> excludedUrls
 
 
     protected AuthenticationProviderJwt authenticationProvider;
@@ -71,6 +73,13 @@ public class ProcessEngineAuthenticationFilterJwt implements Filter {
             jwtValidator = filterConfig.getInitParameter(JWT_VALIDATOR_PARAM)
         }
 
+        if (!excludedUrls){
+            String excludedList = filterConfig.getInitParameter(EXCLUDED_URLS_PARAM);
+            if (excludedList != null) {
+                excludedUrls = Arrays.asList(excludedList.split(","))
+            }
+        }
+
         if (authenticationProviderClassName == null) {
             throw new ServletException("Cannot instantiate authentication filter: no authentication provider set. init-param " + AUTHENTICATION_PROVIDER_PARAM + " missing");
         }
@@ -106,6 +115,16 @@ public class ProcessEngineAuthenticationFilterJwt implements Filter {
         HttpServletRequest req = (HttpServletRequest) request;
         HttpServletResponse resp = (HttpServletResponse) response;
 
+        String path = req.getRequestURI().substring(req.getContextPath().length());
+
+        if (excludedUrls != null) {
+            for (excludedPath in excludedUrls) {
+                if (path.startsWith(excludedPath)) {
+                    chain.doFilter(request, response);
+                    return;
+                }
+            }
+        }
 
         ProcessEngine engine = BpmPlatform.getDefaultProcessEngine();