Hi guys,
The title is pretty clear : we have a doubt concerning security when we see that the Login REST API sends the user’s password in the URL.
POST http://localhost:8080/bonita/loginservice?username=walter.bates&password=bpm&redirect=false HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Host: localhost:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Is there a way to authenticate without sending the user’s password unencrypted ?
Thank you for your enlightenment 
No, is the simple answer…
I would submit a bug report for this, though I’m not sure how to get round it, but others seem to so it should be possible.
regards
Seán
PS: As this reply offers an answer your question, and if you like it, please Mark UP and/or as Resolved.
Antoine answered to my ticket :
You can use loginservice API sending a POST request as explain in the documentation : http://documentation.bonitasoft.com/?page=rest-api-overview#toc2
You can configure HTTPS to secure exchange between server and client : http://documentation.bonitasoft.com/?page=ssl
GET request sends the data in the URL, POST doesn’t, so the subject is closed 
Hi Sean,
I submited an issue on the Jira : https://bonita.atlassian.net/browse/BBPMC-476
I’ll keep you informed