Is it safe to use REST API Login with password in the URL
The title is pretty clear : we have a doubt concerning security when we see that the Login REST API sends the user's password in the URL.
- POST http://localhost:8080/bonita/loginservice?username=walter.bates&password=bpm&redirect=false HTTP/1.1
- Accept-Encoding: gzip,deflate
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 0
- Host: localhost:8080
- Connection: Keep-Alive
- User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Is there a way to authenticate without sending the user's password unencrypted ?
Thank you for your enlightenment :P
Antoine answered to my ticket :
You can use loginservice API sending a POST request as explain in the documentation : http://documentation.bonitasoft.com/?page=rest-api-overview#toc2
You can configure HTTPS to secure exchange between server and client : http://documentation.bonitasoft.com/?page=ssl
GET request sends the data in the URL, POST doesn't, so the subject is closed :)
No, is the simple answer...
I would submit a bug report for this, though I'm not sure how to get round it, but others seem to so it should be possible.
PS: As this reply offers an answer your question, and if you like it, please Mark UP and/or as Resolved.