Submitted by etchegaray on Mon, 10/09/2017 - 13:39
Bonita 7.5.4, Community
I have a project with some process that accesses to API REST from forms. In the studio, there is no problem but in production, only the profile 'administrator' can access to the API REST.
I have resolved the problem by editing the parameter "security.rest.api.authorizations.check.enabled" to false [..\setup\platform_conf\current\tenants\1\tenant_portal\security-config.propierties]
Submitted by Dibyajit.Roy on Sat, 10/29/2016 - 08:10
I have enabled CSRF from false to true in the security config file.
The path is /bonita/client/platform/conf .
Once I set the value as true ( referred Bonita documentation), then in my portal i can see all the tasks. But when I click on a task and select do it, the page just reloads (task list page).
If I make it as false. then the tasks work fine . But setting it true does not open the tasks.
Submitted by Dibyajit.Roy on Mon, 10/17/2016 - 09:53
I need to implement some Security Features in my Portal . below are the list of issues that were identified .
Please point me to the correct documentation or Steps that I need in order to implement the security measures.
1) I observed that AutoComplete was enabled in potentially sensitive form fields. - Disable AutoComplete .
Submitted by abhinethra1 on Wed, 02/24/2016 - 22:39
I am trying to set the pool level auto-login feature for a bonita form . I have created the username and password for the anonymous user(at pool level) and created a URL in the format of : (Note:Project Initiation is the pool name and 1.4.0 is the bos version and process = process Id ).
BAR flies are compiled code of a process which allows them to be implemented in QA/Integration and Production setting and stops them being looked at by the unnecessary.
However I've just read in Build a process for deployment (point 4) that is is possible to simply reverse engineer a implemented BAR into a BOS and hence into studio (when using a SP version of Bonita).
I just started evaluating Bonitasoft. When I run the "Travel Request" example from BPM Studio I noticed that it opens the browser with the username and password in the URL. This looks like a big security hole. Is there an alternative configuration?