Is it safe to use REST API Login with password in the URL

1
0
-1

Hi guys,

The title is pretty clear : we have a doubt concerning security when we see that the Login REST API sends the user's password in the URL.

  1. POST http://localhost:8080/bonita/loginservice?username=walter.bates&password=bpm&redirect=false HTTP/1.1
  2. Accept-Encoding: gzip,deflate
  3. Content-Type: application/x-www-form-urlencoded
  4. Content-Length: 0
  5. Host: localhost:8080
  6. Connection: Keep-Alive
  7. User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

Is there a way to authenticate without sending the user's password unencrypted ?
Thank you for your enlightenment :P

2 answers

1
0
-1
This one is the BEST answer!

Antoine answered to my ticket :

You can use loginservice API sending a POST request as explain in the documentation : http://documentation.bonitasoft.com/?page=rest-api-overview#toc2

You can configure HTTPS to secure exchange between server and client : http://documentation.bonitasoft.com/?page=ssl

GET request sends the data in the URL, POST doesn't, so the subject is closed :)

1
0
-1

No, is the simple answer...

I would submit a bug report for this, though I'm not sure how to get round it, but others seem to so it should be possible.

regards
Seán

PS: As this reply offers an answer your question, and if you like it, please Mark UP and/or as Resolved.

Comments

Submitted by p.clainchard on Fri, 03/24/2017 - 11:21

Hi Sean,

I submited an issue on the Jira : https://bonita.atlassian.net/browse/BBPMC-476
I'll keep you informed

Notifications