Is it safe to use REST API Login with password in the URL


Hi guys,

The title is pretty clear : we have a doubt concerning security when we see that the Login REST API sends the user's password in the URL.

POST http://localhost:8080/bonita/loginservice?username=walter.bates&password=bpm&redirect=false HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Host: localhost:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

Is there a way to authenticate without sending the user's password unencrypted ?
Thank you for your enlightenment :P

2 answers

This one is the BEST answer!

Antoine answered to my ticket :

You can use loginservice API sending a POST request as explain in the documentation :

You can configure HTTPS to secure exchange between server and client :

GET request sends the data in the URL, POST doesn't, so the subject is closed :)


No, is the simple answer...

I would submit a bug report for this, though I'm not sure how to get round it, but others seem to so it should be possible.


PS: As this reply offers an answer your question, and if you like it, please Mark UP and/or as Resolved.


Submitted by p.clainchard on Fri, 03/24/2017 - 11:21

Hi Sean,

I submited an issue on the Jira :
I'll keep you informed