How to fix vulnerability CWE–307 Improper Restriction of Excessive Authentication Attempts in Bonita version 7.10.1?


The security team has performed tests with the methodologies OWASP and Penetration Testing. Black-box and white-box tests were performed.

It has detected the following vulnerability with Bonita version 7.10.1 bundle with Tomcat version 8.5.47.

Information system security policy of the ISO 27002 standard

good morning
how to add the information system security policy of the ISO 27002 standard in bonitasoft community 7.8.0 for the application?

security API REST

Bonita 7.5.4, Community
I have a project with some process that accesses to API REST from forms. In the studio, there is no problem but in production, only the profile 'administrator' can access to the API REST.

I have resolved the problem by editing the parameter "" to false [..\setup\platform_conf\current\tenants\1\tenant_portal\security-config.propierties]

Is it safe to use REST API Login with password in the URL

Hi guys,

The title is pretty clear : we have a doubt concerning security when we see that the Login REST API sends the user's password in the URL.

How can we check user permissions ?

Hi guys,

I'm trying to understand how REST API's permissions work with Bonita 7.4, if someone can provide any info it would be nice :)

So here's what I understood :

Why does the tasks not load when CSRF is enabled in the configuration file.


I have enabled CSRF from false to true in the security config file.
The path is /bonita/client/platform/conf .

Once I set the value as true ( referred Bonita documentation), then in my portal i can see all the tasks. But when I click on a task and select do it, the page just reloads (task list page).
If I make it as false. then the tasks work fine . But setting it true does not open the tasks.

Need To implement some security Measures in BonitaSoft Portal and subsequent Apps


I need to implement some Security Features in my Portal . below are the list of issues that were identified .
Please point me to the correct documentation or Steps that I need in order to implement the security measures.

1) I observed that AutoComplete was enabled in potentially sensitive form fields. - Disable AutoComplete .

Unable to set Autologin feature in 7.1.4


I am trying to set the pool level auto-login feature for a bonita form . I have created the username and password for the anonymous user(at pool level) and created a URL in the format of : (Note:Project Initiation is the pool name and 1.4.0 is the bos version and process = process Id ).

luciano_102's picture

This project aims to develop connectors that meet the requirements of information security, such as: integrity, confidentiality , non-repudiation and authenticity.

The repository already contains developed connectors for integrity, encryption, decryption , digital printing and digital signature with digital certificates PKCS#12.

The development of connectors that meet other Information Security Requirements are welcome.

Releases for Information Security

Total downloads: 2 284
Version BonitaBPM Version Post date Download Link
PF2 7.x, 6.5.x, 6.4.x 2015-Jun-15 Download
Release note

Does bonita have out of the box features for data confidentiality processes

I need to handle data that is restricted according to different actors.

Can I define in someway that data so it is handled differently whether is one actor or another.

And also how is data secured in terms of attackers trying to steal data with attacks like men in the middle or any other types of attacks.

Can data be encrypted in the database used by Bonita or when transmitted to an external database?