Adempiere Web Services Security

From ADempiere
Jump to: navigation, search
This Wiki is read-only for reference purposes to avoid broken links.
Qss.jpg

This page is intended to explain the security model of Adempiere Web Services

Configuration

Web Service

First you must register the web services:

01 WebService.png

Methods

And then you must register each method from the web service.

02 WebServiceMethod.png

Security

Model web services are highly generic - so they need an additional security layer in order to ensure the server security is not compromised.

It's important then to allow fine configuration of the allowed values for each method, this is achieved configuring web service types in a client basis.

Role and User

Firstly is recommended you create a specific role and user (or several) just for the web services, the role must be manual, and you must allow access just to the processes needed. Not windows, not tasks, etc.

03 WebServiceRole.png

Sample - Process Invoice web service

Web Service Types

In web service type you configure types of the generic web services, for example you can configure a web service to call the process that starts the workflow for process invoice.

04 WebServiceType.png

Parameters

This web service receives some specific parameters, so we configure here if the parameter can be used freely (Free), or if the parameter must have a constant value (Constant).

05 WebServiceTypeParams.png

Access

And then you must configure the Access to allow execution from the proper web service role:

06 WebServiceTypeAccess.png

Sample Create BPartner web service - using Fields input

A more complex configuration must be done for the methods that pass and receive data rows.

In this case you must configure the allowed input columns, and/or the allowed output columns.

Example of methods that receive data row are createData, updateData, queryData.

Example of methods that return data row are readData, queryData, getList.

Web Service Type Using Fields Input

Again, you must configure the Web Service Type. But in this case you need to specify the table associated with the web service:

07 WebServiceType.png

Parameters Allowed

You also need to configure the constant and free parameters:

08 WebServiceTypeParams.png

Fields Input

And here you must configure the allowed columns to pass in datarow.

This is a really important step, for example allowing modification of the password on user table it can compromise seriously the security of the server.

09 WebServiceTypeFieldsInput.png