Is it safe to use REST API Login with password in the URL
Hi guys,
The title is pretty clear : we have a doubt concerning security when we see that the Login REST API sends the user's password in the URL.
POST http://localhost:8080/bonita/loginservice?username=walter.bates&password=bpm&redirect=false HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Host: localhost:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Host: localhost:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Is there a way to authenticate without sending the user's password unencrypted ?
Thank you for your enlightenment :P
2 answers
Antoine answered to my ticket :
You can use loginservice API sending a POST request as explain in the documentation : http://documentation.bonitasoft.com/?page=rest-api-overview#toc2
You can configure HTTPS to secure exchange between server and client : http://documentation.bonitasoft.com/?page=ssl
GET request sends the data in the URL, POST doesn't, so the subject is closed :)
Comments
Hi Sean,
I submited an issue on the Jira : https://bonita.atlassian.net/browse/BBPMC-476
I'll keep you informed