Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Securing Activiti Modeler

balsarori
Champ on-the-rise
Champ on-the-rise

‎03-10-2013 08:37 PM

Currently, Activiti Modeler can be accessed (and models can be modified) without authentication by directly accessing the Modeler, for example:

http://localhost:8080/activiti-explorer2/service/editor?id=50

Of course, there are different options for administrators to handle this but I think that it should not be left unsecured by default.

Both Activiti Explorer (Authentication via custom Vaadin Login Form) and Activiti Rest API (Basic HTTP Authentication) are secured by default.

Since Activiti Modeler is a part of Activiti Explorer, I suggest that access to Activiti Modeler should only be allowed if the user has already logged in to Activiti Explorer.

What do you guys think?
Labels:
0 Kudos
8 REPLIES 8

jbarrez
Star Contributor
Star Contributor

‎03-11-2013 06:51 AM

Yes, I think that is indeed needed (and we discussed it too already, agreeing we need to add it asap).
0 Kudos

balsarori
Champ on-the-rise
Champ on-the-rise

‎03-11-2013 09:34 PM

I'm not sure whats the best way to do this. Anyway, here is what I think can be one option

https://github.com/balsarori/Activiti/commit/4a42468048ac5cd2ec139f519348b62bbab804e2

In this code any call to '/service' will not be allowed unless user was already authenticated (either by Vaadin login form or by Servlet Container). When a user logins to Explorer an attribute is saved in the session (the user id, could be anything else). ExplorerFilter checks for this attribute and will not allow access to '/service' unless this attribute was set or user was authenticated by Servlet Container.
0 Kudos

jbarrez
Star Contributor
Star Contributor

‎03-13-2013 04:59 AM

Yes, that makes sense. We'll discuss it shortly, and I have put your link on my notes. Thanks!
0 Kudos

mathewjohnston
Champ in-the-making
Champ in-the-making

‎09-17-2014 03:08 PM

Can you provide any update? This appears to still be an issue, as of 5.16. In the meantime, is there any way to completely disable modeler (without deploying an SSL decrypting WAF, that is). Unfortunately, I can't deploy Activiti into production with such a severe vulnerability.

EDIT: I notice that JIRA ticket ACT-1970 tracks this, filed at the end of March 2014, but is marked as minor priority. This vulnerability, unless mitigated, would prevent Activiti Explorer's use in any enterprise, so might justify a higher priority.

Thanks!
0 Kudos

fionn
Champ in-the-making
Champ in-the-making

‎02-02-2015 10:57 AM

Any updates on this issue?
The above fix worked.
0 Kudos

jbarrez
Star Contributor
Star Contributor

‎02-09-2015 11:18 AM

Ideally that fix is added to the code. Not sure if it covers all use cases.
A pull request would most certainly be appreciated, if you say you've successfully verified it!
0 Kudos

balsarori
Champ on-the-rise
Champ on-the-rise

‎03-03-2015 08:17 PM

I've created a pull request that secures access to /service, process definitions and models should now be accessible to authenticated users only.

https://github.com/Activiti/Activiti/pull/533
0 Kudos

b_schnarr
Champ in-the-making
Champ in-the-making

‎03-04-2015 02:44 AM

balsarori, thanks. Imho, this is a very important feature and should be merged immediately.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2026 Khoros, LLC