Guvnor5.5 REST API Authorization not Working
I have a centralized Guvnor5.5 environment where multiple applications
access the Guvnor through rest api for their respective assets and BAs
access Guvnor's WEB UI to create/modify process definitions. From Guvnor's
WEB UI I can define "User and Permissions" and users accessing the web UI
are accessing based on the permissions defined for them. E.g user A is
permitted to modify Package A only so Guvnor's WEB interface is properly
restricting the USER A and User A can only see Package A when he logs into
Guvnor WEB UI.
My PROBLEM is that when USER A accesses guvnor through Guvnor's REST
Interface then USER A can upload/modify any asset in any package (Package
A, Package B, Package....). How can I apply the User Permission setup on
access through REST API.
Using REST Interface I can access Package C with the user and password of
User A. While USER A is only permitted to access Package A.
I have 5 applications accessing single Guvnor for their assets. Each
application is getting assets from its own Package (E.g application 1 -->
Package A, application 2 --> Package B ...).
I am using Guvnor's REST API for getting Task-Forms and also doing Import
and Export of a package using REST API. (Doing Import/Export through REST
interface as Guvnor imports or Exports only the complete repository. It is
not importing exporting a single package.)
Security Breach Case: If the application developer knows the names of
other packages he can point the application to get assets of other
applications. This causes security issue for us. Applications should
access assets assigned to them in their package only. I need to setup user
and permissions for access through REST interface on the basis of
packages. Applications accessing Guvnor should be allowed only to access
their respective package/assets/categories only.
Thanks and Best Regards, Zahid Ahmed
No comments:
Post a Comment