AnsweredAssumed Answered

REST + Security + Personalized Queries

Question asked by cweber on Sep 6, 2013
Latest reply on Sep 9, 2013 by cweber
Hi everybody.
I've been testing the new REST-Api of the Activiti 5.13 version and it works very well so far.  
At one point I got a bit confused because it seems to be that there is no real security during the queries.

For example:
I can log in as gonzo but I'm allowed to query the tasks of kermit.

There seems to be no check if I'm allowed to do so.
- Are there any plans to change this?
- Or is there a possibility to configure it?

I think it could be a problem if you try to connect the engine through REST from a client. If somebody get the url he can see what task my suspervisior, for example, has to do. And if there are any critical topisc like salary I would not fell very well if anybody who has an "account" on the engine can see this.

During the time of development there is no problem but I'm not sure if its okay for a productive case.

How do you handle that for productive ?
- A kind of proxy which filters the queries?
- ???

Would be great to hear how you would do it. Thanks a lot.