0
1

Is there a white paper or any other informations regarding the security concept of Xpert.ivy? Regarding security it was once stated that it would be best practice to put an IIS or Apache in front of the Ivy-Server. The Server Guide is pretyy quite on that topic just stating external security systems concerning the Active Directory. Are there more informations?

I'm thankful for any assistance.

Edit: I know that - generally speaking - it's the task of the application development team to care about security issues, but Xpert.ivy is using a modified Tomcat as server and a lot of tasks like the role and user management is also handled by Xpert.ivy.

asked 07.11.2013 at 09:41

Nikel%20Weis's gravatar image

Nikel Weis
(suspended)
accept rate: 57%

edited 07.11.2013 at 11:14


In an application environment you have to deal with security issues on different levels.

So you limit the basic access to the xivy server. Including the configuration for http or https. The usual way is in fact to use a web server (IIS) with an isapi redirector to control the access to the ivy server. (instead of accesing the tomcat directly)

Second is the authentification and authorisation of user sessions. In most cases this is done via an ldap connection to an active directory service to identify a user and to map his workflow roles. (each process start and each task are assigned to a requested role)

And finally with the permission mechanism in xivy you can grant/deny on role/user level the usage of the workflow api. (permissions to see task data, reassign tasks, create roles etc.)

link

answered 11.11.2013 at 14:26

Bruno%20B%C3%BCtler's gravatar image

Bruno Bütler
56181318
accept rate: 68%

2

Thanks for your reply. Maybe my question was not precise enough - I was rather thinking of common attack-types like SQL-Inject, query string-, cookie- or HTTP-header manipulation. If the regular authentication/authorization of user sessions is used, are measures taken to address these threats or is xivy rather thought to be deployed in an intranet environment? The background is that we have to deal with sensitive data in a portal that is accesible over the internet.

(12.11.2013 at 09:40) Nikel Weis Nikel%20Weis's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×40

Asked: 07.11.2013 at 09:41

Seen: 2,671 times

Last updated: 12.11.2013 at 09:40