Need To implement some security Measures in BonitaSoft Portal and subsequent Apps

1
0
-1

Hi

I need to implement some Security Features in my Portal . below are the list of issues that were identified .
Please point me to the correct documentation or Steps that I need in order to implement the security measures.

1) I observed that AutoComplete was enabled in potentially sensitive form fields. - Disable AutoComplete .

2) I identified a vulnerability to session fixation attacks, as the unique session ID was not changed once the user had successfully logged in. The following was used to access the authenticated area, and was not changed upon a successful login:

3) How to hide Server error messages - instead of Server error 500 , i want to show some less relevant error as just " oops something went wrong "

Thanks
Dibyajit

1 answer

1
0
-1

Hi there,

there are no exact answers but for 1) I would refer to
https://css-tricks.com/snippets/html/autocomplete-off/

I would add this as a custom widget (with an empty DIV) which executes after the page loads completely. (There is a way to do this, but not on hand).

regarding 2) I would submit this as a bug on https://bonita.atlassian.net/ linking it back to this post.

regarding 3) add/replace the originals with your own in {{BonitaRoot}}\workspace\tomcat\webapps\bonita\error-pages

regards
Seán

PS: As this reply answers your question, please mark as resolved by ticking the tick mark on the left of this reply.

Comments

Submitted by Dibyajit.Roy on Tue, 10/18/2016 - 09:23

Hi Sean
Thanks for your Response.
I was able to change the error code pages.
But if I use the following url :
http://localhost:8080/bonita/API/portal/page?p=0&c=10&o=lastUpdateDate%2..."

Then i get the full stack trace in the Page.
Any idea how to hide the stack trace.

Thanks
Dibyajit

Submitted by Sean McP on Thu, 10/20/2016 - 23:33

Sorry been away - No...sorry

Notifications