security API REST | Bonitasoft Community

Submitted by etchegaray on Mon, 10/09/2017 - 13:39

Bonita 7.5.4, Community
I have a project with some process that accesses to API REST from forms. In the studio, there is no problem but in production, only the profile 'administrator' can access to the API REST.

I have resolved the problem by editing the parameter "security.rest.api.authorizations.check.enabled" to false [..\setup\platform_conf\current\tenants\1\tenant_portal\security-config.propierties]

But I don't know if this is correct from the point of view of security. Is there another way to permit to the profile 'user' access to API REST without compromising the security?

Security

API REST

Log in or register to post comments
2835 reads

2 answers

Submitted by Lionel Palacin on Mon, 10/09/2017 - 22:50

This one is the BEST answer!

Hi,

Yes you can definitely do that. Here is the documentation page about this topic.

It's not that easy to approach at the beginning and it might require a little bit of hit and try but it's doable. If you want to provide more details about what APIs you're trying to protect, I could try to help.

Cheers

Log in or register to post comments
476 reads

Submitted by etchegaray on Tue, 10/10/2017 - 16:42

Thanks.
At last I have been able to set the permissions like I wanted.
My problem was that the profile user has not got access to API/bpm/activityVariable. I granted this permission editing the 'custom-permissions-mapping.properties' adding profile|User=[flownode_visualization]

I think that this permission should be granted by default because I suppose that will be usually to need access to those kinds of variables from pages and forms.

Regards

Log in or register to post comments
479 reads