https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129053#M90678 <HTML><HEAD></HEAD><BODY><SPAN>balsarori, thanks. Imho, this is a very important feature and should be merged immediately.</SPAN></BODY></HTML> Wed, 04 Mar 2015 07:44:42 GMT b_schnarr 2015-03-04T07:44:42Z https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129045#M90670 Currently, Activiti Modeler can be accessed (and models can be modified) without authentication by directly accessing the Modeler, for example:http://localhost:8080/activiti-explorer2/service/editor?id=50Of course, there are different options for administrators to handle this but I think that it sho Mon, 11 Mar 2013 00:37:37 GMT https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129045#M90670 balsarori 2013-03-11T00:37:37Z https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129046#M90671 <HTML><HEAD></HEAD><BODY><SPAN>Yes, I think that is indeed needed (and we discussed it too already, agreeing we need to add it asap).</SPAN></BODY></HTML> Mon, 11 Mar 2013 10:51:10 GMT https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129046#M90671 jbarrez 2013-03-11T10:51:10Z https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129047#M90672 <HTML><HEAD></HEAD><BODY><SPAN>I'm not sure whats the best way to do this. Anyway, here is what I think can be one option</SPAN><BR /><BR /><A href="https://github.com/balsarori/Activiti/commit/4a42468048ac5cd2ec139f519348b62bbab804e2" rel="nofollow noopener noreferrer">https://github.com/balsarori/Activiti/commit/4a42468048ac5cd2ec139f519348b62bbab804e2</A><BR /><BR /><SPAN>In this code any call to '/service' will not be allowed unless user was already authenticated (either by Vaadin login form or by Servlet Container). When a user logins to Explorer an attribute is saved in the session (the user id, could be anything else). ExplorerFilter checks for this attribute and will not allow access to '/service' unless this attribute was set or user was authenticated by Servlet Container.</SPAN></BODY></HTML> Tue, 12 Mar 2013 01:34:39 GMT https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129047#M90672 balsarori 2013-03-12T01:34:39Z https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129048#M90673 <HTML><HEAD></HEAD><BODY><SPAN>Yes, that makes sense. We'll discuss it shortly, and I have put your link on my notes. Thanks!</SPAN></BODY></HTML> Wed, 13 Mar 2013 08:59:38 GMT https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129048#M90673 jbarrez 2013-03-13T08:59:38Z https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129049#M90674 <HTML><HEAD></HEAD><BODY><SPAN>Can you provide any update? This appears to still be an issue, as of 5.16. In the meantime, is there any way to completely disable modeler (without deploying an SSL decrypting WAF, that is). Unfortunately, I can't deploy Activiti into production with such a severe vulnerability. </SPAN><BR /><BR /><SPAN>EDIT: I notice that JIRA ticket ACT-1970 tracks this, filed at the end of March 2014, but is marked as minor priority. This vulnerability, unless mitigated, would prevent Activiti Explorer's use in any enterprise, so might justify a higher priority. </SPAN><BR /><BR /><SPAN>Thanks!</SPAN></BODY></HTML> Wed, 17 Sep 2014 19:08:15 GMT https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129049#M90674 mathewjohnston 2014-09-17T19:08:15Z https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129050#M90675 <HTML><HEAD></HEAD><BODY><SPAN>Any updates on this issue?</SPAN><BR /><SPAN>The above fix worked.</SPAN></BODY></HTML> Mon, 02 Feb 2015 15:57:08 GMT https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129050#M90675 fionn 2015-02-02T15:57:08Z https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129051#M90676 <HTML><HEAD></HEAD><BODY><SPAN>Ideally that fix is added to the code. Not sure if it covers all use cases.</SPAN><BR /><SPAN>A pull request would most certainly be appreciated, if you say you've successfully verified it!</SPAN></BODY></HTML> Mon, 09 Feb 2015 16:18:02 GMT https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129051#M90676 jbarrez 2015-02-09T16:18:02Z https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129052#M90677 <HTML><HEAD></HEAD><BODY><SPAN>I've created a pull request that secures access to /service, process definitions and models should now be accessible to authenticated users only.</SPAN><BR /><BR /><A href="https://github.com/Activiti/Activiti/pull/533" rel="nofollow noopener noreferrer">https://github.com/Activiti/Activiti/pull/533</A></BODY></HTML> Wed, 04 Mar 2015 01:17:06 GMT https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129052#M90677 balsarori 2015-03-04T01:17:06Z https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129053#M90678 <HTML><HEAD></HEAD><BODY><SPAN>balsarori, thanks. Imho, this is a very important feature and should be merged immediately.</SPAN></BODY></HTML> Wed, 04 Mar 2015 07:44:42 GMT https://connect.hyland.com/t5/alfresco-archive/securing-activiti-modeler/m-p/129053#M90678 b_schnarr 2015-03-04T07:44:42Z