Hyland Connect

cweber · ‎09-06-2013

Hi everybody.
I've been testing the new REST-Api of the Activiti 5.13 version and it works very well so far.
At one point I got a bit confused because it seems to be that there is no real security during the queries.

For example:
I can log in as gonzo but I'm allowed to query the tasks of kermit.

There seems to be no check if I'm allowed to do so.
- Are there any plans to change this?
- Or is there a possibility to configure it?

I think it could be a problem if you try to connect the engine through REST from a client. If somebody get the url he can see what task my suspervisior, for example, has to do. And if there are any critical topisc like salary I would not fell very well if anybody who has an "account" on the engine can see this.

During the time of development there is no problem but I'm not sure if its okay for a productive case.

How do you handle that for productive ?
- A kind of proxy which filters the queries?
- ???

Would be great to hear how you would do it. Thanks a lot.

trademak · ‎09-06-2013

Right, for the 5.13 release our major goal was to make the REST API as rich as the Java API. As you know we don't have this kind of security in the Java API either. When specific security is needed this has to be implemented on top of the Activiti Java and/or REST API. But I agree that this is an area for future improvement.

Best regards,

cweber · ‎09-09-2013

@trademak
Thanks for answearing.
<blockquote>As you know we don't have this kind of security in the Java API either</blockquote>

I know that but I think it is not so import as for the rest-api because your engine is running on a server with a webinterface that connects the engine. So you do not see what is really happen and if you want to manipulate data you have to write code to connect and code to manipulate the engine. For Rest you don't need to implement anything.

You just need the a link and for example the RESTClient Plugin of Firefox.

vikas1 · ‎09-07-2013

can any body tell me the steps to start activiti-rest on web-browser like activiti-explorer.In my system it is not coming i am following this steps:
.puting activiti-rest.war file inside tomcat webapps.
.and started tomcat server and on browser using activiti-rest but its not cming somebody please help me !!!

cweber · ‎09-09-2013

@vikas
First of all I would ask your question in a new topic. Because if the users here just read the title "REST + Security + Personalized Queries" they would not expact a question like yours. So maybe many users that are able to help you will not read your question here.

Secondly, the information you gave are a bit to less to give you real help. The only thing I can tell you is when I deployed the activiti-explorer and activiti-rest war files on a Tomcat 7 it works fine. Had no problems with that.

1. Are there any errors in the tomcat log?
2. Did the Server really start? (try to browse to localhost:8080 and look if the tomcat welcome page is comming)

<blockquote>and started tomcat server and on browser using activiti-rest but its not cming somebody please help me !!!</blockquote>

3.What do you mean with on browser using activiti-rest?
If you expects the ui of the activiti explorer it will not appear for the activiti-rest war.

4. How to you try to send your rest url? Do you use a Browser Plugin like the RESTClient for Firefox or do you have code that tries to run the query.

That are only the questions I get from your question. So nobody is able to help you if you do not give more details.