Flowable Hub Properties
Flowable Hub is a Spring Boot application. This means that it is configured as a Spring Boot application and all available properties for a Spring Boot application are also applicable for Flowable Hub.
Flowable Hub uses two property namespaces:
flowable.hub.*for the Hub engine and its security, andapplication.hub.*for the out-of-the-box Hub application (security type, access restrictions and clustering).
See the Flowable Hub Installation Instructions for a step-by-step configuration guide.
Unlike Flowable Control, Flowable Hub is not configured with a fixed runtime connection through properties. There are no cluster-config bootstrap properties. Instead, the runtime environments (called clusters) that Hub monitors and manages are registered at runtime in the UI under Hub Configuration → Clusters. See the Clusters documentation for details.
Hub specific properties
The following list displays the properties which are specific for Flowable Hub.
General properties
Properties with the prefix flowable.hub
| Property | Description | Default value |
|---|---|---|
| license-location | The location of the license file. | file:${user.home}/.flowable/flowable.license |
| db-store-enabled | Whether the license should be fetched from the database. | false |
| database-schema-update | The strategy that should be used for the database schema update (possible values: true, false, ignore). | true |
| database-schema | The database schema to be used for table checks / generation (needed in case the database metadata doesn't return that correctly). | |
| database-table-prefix | A database table prefix which is used for all runtime operations of Flowable. | |
| use-lock-for-database-schema-update | Whether to use a lock when performing the database schema create or update operations. | false |
| mode | The mode in which the Hub application is running. Possible values: self-hosted, cloud-shared. | self-hosted |
| token-signing-secret | The token signing secret used for token based request authentication. Must be at least 32 characters if set. |
Security properties
Properties with the prefix application.hub.security
| Property | Description | Default value |
|---|---|---|
| type | The type of the security that should be used. Possible values: basic, oauth2. | basic |
| access-groups | A comma separated allow list of groups that are allowed to access the application. The GROUP_ prefix is not required. | - |
| access-authorities | A comma separated allow list of authorities that are allowed to access the application. | - |
Security OAuth2 application properties
Properties with the prefix application.hub.security.oauth2
| Property | Description | Default value |
|---|---|---|
| authorized-client-repository-type | The type of the OAuth2 Authorized Client Repository. Needed when oauth2CurrentUser is used to communicate with a runtime environment and a refresh token is configured. Possible values: session, default. When running a single node this can be set to default (in-memory). | session |
Security Token properties
Properties with the prefix flowable.hub.security.token
| Property | Description | Default value |
|---|---|---|
| max-user-size | The maximum number of users that the token cache should contain. | 2048 |
| max-age | The max age after which a token entry should be invalidated. | 1d |
Security Remember Me properties
Properties with the prefix flowable.hub.security.remember-me
| Property | Description | Default value |
|---|---|---|
| key | The hash key used by Spring Security for the remember me cookie. | testKey |
| cookie-name | The name of the remember me cookie. | flowable-hub-remember-me |
| cookie-domain | The domain for the remember me cookie. | |
| cookie-max-age | The max age of the remember me cookie. | 31d |
| token-refresh-duration | The duration it takes to refresh the token in the database. | 1d |
| store-user-details | Whether user details (like the remote address and the user agent) should be stored with the token. | false |
| max-user-cache-size | The maximum number of users that the user details cache should contain. | 2048 |
| max-user-cache-age | The max age after which the user detail entries should be invalidated. | 30m |
Security CSRF properties
Properties with the prefix flowable.hub.security.rest.csrf
| Property | Description | Default value |
|---|---|---|
| enabled | Flag indicating the CSRF protection for Flowable Hub should be enabled. | true |
| cookie-name | The name of the cookie in which the CSRF token will be stored. | FLOWABLE_HUB_CSRF_TOKEN |
| header-name | The name of the header in which the CSRF token will be stored. | X-FLOWABLE-HUB-CSRF-TOKEN |
| cookie-domain | The name of the domain where the CSRF token cookie will be saved and read from. | |
| cookie-path | The name of the path where the CSRF token cookie will be saved and read from. |
Security Content Security Policy properties
Properties with the prefix flowable.hub.security.rest.content-security-policy
| Property | Description | Default value |
|---|---|---|
| policy-directives | The Content Security Policy directives. | |
| report-only | Flag indicating whether to use Content-Security-Policy-Report-Only instead of Content-Security-Policy. | false |
Security OAuth2 properties
Properties with the prefix flowable.hub.security.oauth2
| Property | Description | Default value |
|---|---|---|
| post-logout-redirect-url | The post logout redirect URL. When set, the OIDC logout success handler is configured with this URL. | |
| post-logout-redirect-url-query-parameter | The post logout redirect URL query parameter used when building the end session endpoint URL. | post_logout_redirect_uri |
| end-session-endpoint-url | The end session endpoint URL. Use this when the OpenID Connect well-known configuration cannot be used and the endpoint needs to be set manually. | - |
Security OAuth2 Client Mapper properties
Properties with the prefix flowable.hub.security.oauth2.client.mapper
| Property | Description | Default value |
|---|---|---|
| admin-authorities | A comma separated list of all the authorities which should make the user an admin. | - |
| authorities-attributes | A comma separated list of the names of the attributes from which authorities should be extracted without any changes. | - |
| idm-user-id-attributes | A comma separated list of the names of the token attributes that hold the user id corresponding to the Flowable IDM user id. | - |
Security OAuth2 Resource Server Mapper properties
Properties with the prefix flowable.hub.security.oauth2.resourceserver.mapper
| Property | Description | Default value |
|---|---|---|
| admin-authorities | A comma separated list of all the authorities which should make the user an admin. | - |
| authorities-attributes | A comma separated list of the names of the attributes from which authorities should be extracted without any changes. | - |
| idm-user-id-attributes | A comma separated list of the names of the token attributes that hold the user id corresponding to the Flowable IDM user id. | - |
Security OAuth2 Resource Server JWT properties
Properties with the prefix flowable.hub.security.oauth2.resourceserver.jwt
| Property | Description | Default value |
|---|---|---|
| principal-claim-name | The claim that holds the id of the user. | - |
Security Encryption properties
Properties with the prefix flowable.hub.encryption
Some values, such as the OAuth2 SSO client secrets, are stored encrypted in the database using AES/CBC/PKCS5PADDING. This needs a 128-bit initialization vector and a 128-bit secret key, each represented as 16 ASCII characters.
| Property | Description | Default value |
|---|---|---|
| secret | A 16 character string used to create the secret key spec from its bytes. | |
| initialization-vector | A 16 character string used to create the initialization vector parameter from its bytes. |
Do not change the encryption secret or initialization-vector after client secrets have been saved. Existing secrets can no longer be decrypted and would need to be reconfigured in the UI.
Bootstrap properties
Properties with the prefix flowable.hub.bootstrap
| Property | Description | Default value |
|---|---|---|
| use-lock | Whether to use a lock when bootstrapping. | false |
| lock-wait-time | The time to wait for the lock. | 5m |
Default admin properties
Properties with the prefix flowable.hub.bootstrap.default-admin
The default admin user (username admin, in the default tenant, placed in the flowableAdministrator group and granted the Hub Admin role) is only created on an empty database.
| Property | Description | Default value |
|---|---|---|
| enabled | Whether the default admin user should be created. | true |
| password | The password for the default admin user (only applied during the first startup). | test |
Make sure to change the default password before exposing Flowable Hub outside of a local development environment.
Tenant bootstrap properties
Properties with the prefix flowable.hub.bootstrap.tenants
| Property | Description | Default value |
|---|---|---|
| enabled | Whether the tenants bootstrap is enabled. | true |
| default-password | The default password used for the users created in the tenants. | test |
| resource-locations | The locations used for the tenants bootstrap. | classpath*:/bootstrap/tenants/*.json |
Template tenant properties
Properties with the prefix flowable.hub.bootstrap.template-tenant
| Property | Description | Default value |
|---|---|---|
| enabled | Whether the template tenant bootstrap is enabled. | true |
| resource | The resource to use for the template tenant bootstrap. | classpath:bootstrap/template-tenant.json |
Audit log properties
Properties with the prefix flowable.hub.audit-log
The local audit log covers mutating Hub operations (tenants, users, groups, apps, SSO, tokens, environments).
| Property | Description | Default value |
|---|---|---|
| enabled | Whether the local Hub audit log is enabled. | false |
Properties with the prefix flowable.hub.remote-audit-log
The remote audit log covers operations that are proxied to a connected runtime environment (Work cluster).
| Property | Description | Default value |
|---|---|---|
| enabled | Whether the remote (proxied operations) Hub audit log is enabled. | false |
App provider properties
Properties with the prefix flowable.hub.app-provider
| Property | Description | Default value |
|---|---|---|
| type | Which AppProviderService implementation to use. database reads apps from the Hub database; properties reads them from flowable.hub.apps.*. | database |
Current user properties
Properties with the prefix flowable.hub.current-user
| Property | Description | Default value |
|---|---|---|
| lookup-by-external-id | Whether the current user should be looked up in the identity store by external id instead of the internal user id. | false |
REST properties
Properties with the prefix flowable.hub.rest
| Property | Description | Default value |
|---|---|---|
| content-disposition-charset | The charset for the content disposition file names. | UTF-8 |
| inline-mime-types | The mime types that can be automatically inlined (rather than served as an attachment which triggers a download). | image/gif, image/jpeg, image/png, application/pdf, audio/*, video/* |
| send-full-error-exception | Whether to send the full error exception message for unknown exceptions. If false, the exception message is logged with a unique error identifier which is included in the response instead. | true |
Frontend properties
Properties with the prefix flowable.hub.frontend
| Property | Description | Default value |
|---|---|---|
| title | The title for the application. Used if there is no home.title in the messages. | |
| home-path | The base location for the Hub frontend. | |
| inline-css | Whether to inline the custom css into the main index.html. | false |
| inline-js | Whether to inline the custom js into the main index.html. | false |
Clustering properties
Flowable Hub can run with more than one node behind a load balancer. When doing so — and especially when using OAuth2 without sticky sessions — the HTTP session needs to be shared between the nodes over Redis using Spring Session.
| Property | Description | Default value |
|---|---|---|
| application.hub.redis-enabled | Whether Spring Session over Redis is enabled. Required to run clustered together with OAuth2 without sticky sessions. | false |
| spring.data.redis.host | The Redis host. | localhost |
| spring.data.redis.port | The Redis port. | 6379 |
| spring.data.redis.password | The Redis password. | |
| spring.data.redis.ssl.enabled | Whether SSL should be used for the Redis connection. | false |
| spring.session.redis.configure-action | Set to none to skip the CONFIG command that Spring Session issues at startup. Required on managed Redis services (such as Azure Cache for Redis or AWS ElastiCache) that deny the CONFIG command. | |
| spring.session.redis.namespace | The key prefix for Spring Session entries. Use a different value per app to isolate sessions, or the same value across apps to share them. | spring:session |
Managed Redis services (such as Azure Cache for Redis or AWS ElastiCache) deny the CONFIG command that Spring Session issues at startup. On those services add spring.session.redis.configure-action=none.
The Lettuce client can be tuned with the application.hub.redis.lettuce.* properties.
| Property | Description | Default value |
|---|---|---|
| application.hub.redis.lettuce.keepalive.idle | The idle time before keep alive probes are sent. | 60s |
| application.hub.redis.lettuce.keepalive.interval | The interval between keep alive probes. | 30s |
| application.hub.redis.lettuce.keepalive.count | The number of keep alive probes. | 3 |
| application.hub.redis.lettuce.disconnected-behavior | The behavior when the client is disconnected. Possible values: DEFAULT, ACCEPT_COMMANDS, REJECT_COMMANDS. | REJECT_COMMANDS |
| application.hub.redis.lettuce.publish-on-scheduler | Whether to use a dedicated scheduler for publishing events. | true |


