Xpert.ivy's Security Concept

0
1

Is there a white paper or any other informations regarding the security concept of Xpert.ivy? Regarding security it was once stated that it would be best practice to put an IIS or Apache in front of the Ivy-Server. The Server Guide is pretyy quite on that topic just stating external security systems concerning the Active Directory. Are there more informations?

I'm thankful for any assistance.

Edit: I know that - generally speaking - it's the task of the application development team to care about security issues, but Xpert.ivy is using a modified Tomcat as server and a lot of tasks like the role and user management is also handled by Xpert.ivy.

asked 07.11.2013 at 09:41

Nikel%20Weis's gravatar image

Nikel Weis
(suspended)
accept rate: 57%

edited 07.11.2013 at 11:14

One Answer:
active answersoldestnewestmost voted
1

In an application environment you have to deal with security issues on different levels.

So you limit the basic access to the xivy server. Including the configuration for http or https. The usual way is in fact to use a web server (IIS) with an isapi redirector to control the access to the ivy server. (instead of accesing the tomcat directly)

Second is the authentification and authorisation of user sessions. In most cases this is done via an ldap connection to an active directory service to identify a user and to map his workflow roles. (each process start and each task are assigned to a requested role)

And finally with the permission mechanism in xivy you can grant/deny on role/user level the usage of the workflow api. (permissions to see task data, reassign tasks, create roles etc.)

link

answered 11.11.2013 at 14:26

Bruno%20B%C3%BCtler's gravatar image

Bruno Bütler
56181318
accept rate: 68%

2

Thanks for your reply. Maybe my question was not precise enough - I was rather thinking of common attack-types like SQL-Inject, query string-, cookie- or HTTP-header manipulation. If the regular authentication/authorization of user sessions is used, are measures taken to address these threats or is xivy rather thought to be deployed in an intranet environment? The background is that we have to deal with sensitive data in a portal that is accesible over the internet.

(12.11.2013 at 09:40) Nikel Weis Nikel%20Weis's gravatar image

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×40

Asked: 07.11.2013 at 09:41

Seen: 2,723 times

Last updated: 12.11.2013 at 09:40

Related questions

Changing the Security System

Java blocks Rich Dialog applications and we cannot update

LDAP API call cache

Change password of an AD user in Ivy

How to set multiple responsible roles for a process start request

Does a user have a specific role?

How to reset a task back to state SUSPENDED cancelled by the user

How to change the certificate for SSL/HTTPS?

Permission Denied: needs Permission SYSTEM but the Session is SYSTEM

How can I disable Permission checks?