Questions Tagged With security

Can we configure multiple external security systems (e.g. LDAP)?

sorin — Tue, 28 Apr 2020 03:59:51 -0400

The naming in ivy.securitysystem.yaml is plural as in SecuritySystems, not SecuritySistem.

Does that mean that we can configure multiple LDAP services at the same time?

Static JSF pages not found after updating to 8.0.4 / 9.1.0

Lukas Lieb — Wed, 18 Mar 2020 03:02:35 -0400

Since 8.0 you can create static JSF pages. Those pages can be accessed directly via a URL without being in an an HtmlDialog context. And until 8.0.3 they were still located in the webContent folder.

Are you affected?

If you used static pages and you upgrade to 8.0.4 your page will no longer be found by the engine.

What have changed?

To improve security, we changed the location to webContent/view. This helps you to decide which pages should be static and can be accessed directly.

How should your webContent folder look like?

If you use static pages, you should have a view folder, and if not, please do not use this folder. Your structure could look like something like the this:

webContent
  - META-INF/
  - WEB-INF/
  - view/          (static JSF pages -> direct call possible)
  - includes/    (templates, dialogs, etc -> no direct call allowed)
  - resources/  (images, css, js, etc. -> no direct call allowed)

Additional info

If you use static pages, you should consider securing them with a login.

Ghostcat vulnerability in Tomcat (CVE-2020-1938)

Alex Suter — Tue, 17 Mar 2020 10:00:35 -0400

IMPORTANT NOTE FROM 2020-05-12 Tomcat had a bug with AJP and IIS over HTTPS. Ivy 7.0.17 and 8.0.4/8.0.5 are affected by this bug. You will need to upgrade to 7.0.18 and 8.0.6.

The Axon.ivy Digital Business Platform is using Tomcat as web server. Ghostcat 👻😼 (CVE-2020-1938) is a security vulnerability in Tomcat and is related to the AJP protocol. AJP is a binary protocol and is used in conjunction with a reverse proxy like IIS or Apache httpd. A secure Axon.ivy Engine setup always includes a reverse proxy, like the following example:

Browser --> (HTTP, HTTPS) --> Reverse Proxy (IIS, Apache, ...) --> (AJP) --> Axon.ivy Engine

HTTP or HTTPS is also possible as communication protocol between the reverse proxy and the Axon.ivy Engine, but AJP is the most used setup, especially in Windows environments.

Are you affected by this vulnerability?

8.0 You are affected by this issue if you have explicitly enabled the AJP port and have not explicitly protected access to the Axon.ivy engine for example with a firewall.
7.0 You are affected by this issue if you not have explicitly disabled the AJP port and have not explicitly protected access to the Axon.ivy engine for example with a firewall.

How to fix this without updating?

Is your reverse proxy running on the same host as the Axon.ivy Engine?

Yes. You need to bind the AJP port only to localhost by setting the property Connector.AJP.Address to localhost in ivy.yaml and restart the Axon.ivy Engine. The AJP port is now only available on the host itself. For Axon.ivy 7.0 you need to set the system property WebServer.AJP.Address to localhost.
No. Configure your network to ensure exclusive access between the reverse proxy and the Axon.ivy Engine. If this is not possible, you will need to setup a firewall on the host where the Axon.ivy Engine is running. Only requests from the reverse proxy must be allowed.

What will change in Axon.ivy 7.0.17 and 8.0.6?

Axon.ivy will come with the latest Tomcat version:

Axon.ivy 8.0.6 comes with Tomcat 9.0.35
Axon.ivy 7.0.18 comes with Tomcat 8.5.55

Tomcat has changed the default behavior of the AJP port. AJP is now bound by default to localhost and not anymore to every network interface (nic). This means nobody can access the Axon.ivy Engine from another host via AJP. Furthermore the AJP port is now also disabled by default in Axon.ivy 7.0.18.

What do you have to do when upgrading to 7.0.18?

Is your reverse proxy running on the same host as the Axon.ivy Engine?

Yes. Just make sure that the system property WebServer.AJP.Address is empty after the upgrade. So we take the Tomcat default and the AJP port is only available locally.
No. You need to bind the AJP port to the public network address by setting the system property WebServer.AJP.Address to YOUR_AXON_IVY_ENGINE_IP_ADDRESS. Additionally, you need to configure your network to ensure exclusive access between the reverse proxy and the Axon.ivy Engine. If this is not possible, you will need to setup a firewall on the host where the Axon.ivy Engine is running. Only requests from the reverse proxy must be allowed.

If you don't use a reverse proxy at all, then you need to disable the AJP port by setting the system property WebServer.AJP.Enabled to false.

What do you have to do when upgrading to 8.0.6?

Is your reverse proxy running on the same host as the Axon.ivy Engine?

Yes. Just make sure that Connector.AJP.Address in ivy.yaml is empty after the upgrade. So we take the Tomcat default and the AJP port is only available locally.
No. You need to bind the AJP port to the public network address by setting the property Connector.AJP.Address to YOUR_AXON_IVY_ENGINE_IP_ADDRESS in ivy.yaml. Additionally, you need to configure your network to ensure exclusive access between the reverse proxy and the Axon.ivy Engine. If this is not possible, you will need to setup a firewall on the host where the Axon.ivy Engine is running. Only requests from the reverse proxy must be allowed.

isapi.dll and mod_jk.so upgrades

We also bundle with the upcoming release the latest version of isapi.dll and mod_jk.so. They are needed by the reverse proxy (IIS, Apache httpd). We recommend to upgrade them on the reverse proxy as described in the migration guide.

What about secret and secretRequired?

You may have read something about secret or secretRequired. This is an alternative way to protect the communication between the reverse proxy and Axon.ivy Engine. We believe that a secure communication between the reverse proxy and the Axon.ivy Engine should be protected by firewall rules even in trusted networks and therefore this is not needed.

If you don't have the same opinion, we would love to hear 👂 why!

If you really want to use secret and secretRequired, you can define them in ivy.yaml (see configuration). Furthermore you need to define the secret itself in the [worker.properties][5] as part of the reverse proxy installation.

Security is important to us 💯 %

We, the platform development team, take security very seriously. If you have any questions or find other weaknesses, please do not hesitate to contact us.

How to set multiple responsible roles for a process start request

Adrian Imfeld — Thu, 07 Nov 2019 09:49:11 -0500

How can we set more than one role as "Responsible role" on a Request Start element on the Request tab. Users with different roles (not able to organize under one commen role tree node) should see a process in the portal and should be able to start it.

My workaround at the moment is to define two different start elements, which are identical except the responsible role. It works, but... If one user holds both roles, he will see two identical processes.

Thanks for help.

retrieve user attributes

peterw81 — Wed, 04 Sep 2019 09:50:52 -0400

Hi All

How can I retrieve attributes from a user that is not the logged in user? I would need to get the user's email and phone number durning a subprocess that is running as system.

Any ideas are greatly appreciated.

Many thanks in advance regards, p

Failed to generate random number within 10 seconds

SupportIvyTeam — Fri, 17 Aug 2018 04:03:38 -0400

Failed to generate random number within 10 seconds. This could slow down the JSF runtime dramatically. Please consider installing a secure random provider for 'SHA1PRNG'!

How to secure Rest Services from Ivy 6.2 with Authorization Bearer instead of Basic

thminh — Thu, 21 Jun 2018 07:31:33 -0400

As the tittle. I'm using Ivy version 6.2 and would like to know how to secure my REST Services using Bearer Authorization instead of basic. Thanks

Permission to reassign tasks

YogiOL — Fri, 27 Oct 2017 06:12:50 -0400

Hi there, what rights must a user or a role have in RIA Workflow UI to be able to reassign (delegate) tasks ?

Is ivy affected by the newly found Apache Tomcat RCE vulnerabilities (CVE-2017-12615 and CVE-2017-12617) ?

SupportIvyTeam — Mon, 25 Sep 2017 03:53:51 -0400

Two Remote code execution (RCE) security vulnerabilities affecting all versions of Apache Tomcat have been found last week.

CVE-2017-12615 (RCE when readonly set to false, affects Tomcat < 7.0.81 on Windows)

CVE-2017-12617 (RCE when readonly set to false, affects all Tomcat versions on all Operating systems)

Is ivy affected by the newly found Apache Tomcat RCE vulnerabilities (CVE-2017-12615 and CVE-2017-12617) ?

Is it possible to access Ivy's RESTful API from an HtmlDialog or within the same session?

Genzer Hawker — Wed, 22 Feb 2017 08:26:22 -0500

Hi Ivy Team

I have a HtmlDialog containing several links to our RESTful API (implemented using Axon.ivy). However, every time the user accesses to the API, the browser requires authentication even though the user has already logged in.

I'm aware of the javax.annotation.security.PermitAll/DenyAll (-- which seems to be the only annotations supported?) but I want to keep the Basic authentication intact.

Say the page could be like this:

< !-- The HelloWorld dialog -->
< h:html>
    < h:body>
        < h:outputLink value="/ivy/api/designer/helloworld" target="_blank">
            Click to see Hello World
         < /h:outputLink>

        < h:outputLink value="/ivy/file/designer/session/some_file_already_created.txt" target="_blank">
            Get content of file
        < /h:outputLink>
    < h:/body>
< /h:html>

The first link will require authentication whereas the second works normally.

Is there a possible way to overcome this?

Changing the Security System

Stelt0 — Fri, 10 Feb 2017 09:52:07 -0500

Hello IvyTeam,

Is it possible to change the security system of application once it has been set ?

Let`s say I want to start with Ivy Users and at some point to change to Active Directory ?

Best Regards, Yordan Yunchov

Is there something managing user concurrent sessions?

RemiMorin — Fri, 09 Dec 2016 21:54:58 -0500

We need to implement a security enabling a user to be logged only in one session. We will either prevent him to log twice or kill any other session on login.

Is there already something to support that (aka sessiob listener or session filter).

Display name of ivy role

josef_koupal — Mon, 26 Sep 2016 14:03:59 -0400

Is there a possibility to set Ivy role the display name ? There sure is one in designer - roles editor. But i wonder if i can do such thing on server with 'living' roles. Or even those synchronized with Novell.

Login needed for index page of Ivy server

nam_ha — Fri, 12 Aug 2016 05:02:18 -0400

Hello IvyTeam (and Everybody) Currently we have a cloud server which hosts an Ivy server. For the security reason, can I force the user to pass login credentials to access the index page of the server? I would like to use it in the HTTPS as well. Thank you very much.

Disabling SSLv3 and SSLv2 in engine

skilchenmann — Wed, 27 Jul 2016 16:18:10 -0400

Hi there

How can I disable less secure encryption methods and use only TLS within the ivy engine?

Thanks for your feedback, Sven

REST service security

Stelt0 — Mon, 04 Jul 2016 13:22:42 -0400

Hello All,

What is the security context of the new REST services ? How to get/check the user that is consuming them ?

Thanks a lot !

Best Regards, Yordan Yunchov

Add Role permanently to User programmatically

Florian Hitz — Thu, 30 Jun 2016 15:33:27 -0400

Hi I want to assign a role to a user permanently in my software. And i need to this programmatically. Can anyone help me out? I tried the addRole function in IUsers but this is just temporary i think. Best regards Florian

Ajax call from HTML Dialog to consume Web Service and REST Service

Stelt0 — Thu, 23 Jun 2016 17:40:38 -0400

Hi All,

I have the situation where from HTML dialog I need to make custom Ajax call to ivy Web Service in the same process. I`m wandering what would be the implications of this approach regarding the security context.

The Ajax call will send a HTTP request with the cookie session of the currently logged user. Will this be enough for ivy engine to identify the user ?

This question is also valid for the future release 6.2 when it comes to REST services.

Best Regards, Yordan

Ivy permissions and system permission

Michael Knight — Tue, 21 Jun 2016 17:37:18 -0400

Is it safe to set all rights to granted in the Ivy Admin console for the role "Everybody"

For example a user has the "UserAddRole" permission. If the webapp doesn't has the feature to add a role is it still somehow possible for the user to add a role?

In other words: As long as the webapp controls the security itself, does it need the ivy security layer?

How to map AD group to Ivy role?

Adrian Imfeld — Thu, 23 Jul 2015 12:24:42 -0400

We like to manage the rights for our ivy applications over the Microsoft Active Directory. According the AD groups, ivy roles should automatically added to the ivy user. We have in mind to build some technical processes to do that. But we have some questions...

Is it possible to read (lower) OU's of a user?
If we have the OU "ivy" to import all users and there is a OU "admin" under the OU "ivy", can we find out which users are in the OU "admin"? How can we get this information. Maybe some how like reading AD attributes?

Is it possible to listen to the LDAP synchronisation of the ivy server?
Every times when the user synchronisation is finished, our code should be executed to add specified ivy roles to the user based on the AD OU's.

Thank you for your support

LDAP API call cache

tauser — Fri, 30 Jan 2015 15:26:48 -0500

Hi, we have some performance problems by communication with LDAP after switching from 4.3 to 5.0. I have two questions

were there any changes intern by calling API (see bellow)
are there any API methods which doesn't communicate with LDAP (using direct only ivy system database) ?

Especially we use the following method

ISecurityContext.findRole(...)
IWorkflowSession.hasRole(IRole, Boolean)

Permission Denied: needs Permission SYSTEM but the Session is SYSTEM

HaraldWeber — Thu, 23 Oct 2014 10:52:10 -0400

I have a strange Exception here:

Session 0 (SYSTEM) is not allowed to call method public ch.ivyteam.ivy.workflow.IProcessData ch.ivyteam.ivy.workflow.internal.Task.getInternalProcessData().
The session does not fulfill the permission rule SESSION IS SYSTEM

This says the Session has the permission SYSTEM but the call was denied because the Session has not the permission SYSTEM.

Code is:

final ITask task = Ivy.wfTask();
IProcessData ipd = Ivy.session().getSecurityContext()
    .executeAsSystemUser(new Callable<iprocessdata>() {
    @Override
    public IProcessData call() throws Exception {

        return task.getInternalProcessData();
    }

});

Permissions needed to call a API method

Reto Weiss — Tue, 21 Oct 2014 09:58:46 -0400

Where can I find what permissions a user needs to call an Axon.ivy API method?

Difference between UserReadAll or UserReadName Permission / Permission Overview

Stefan — Mon, 20 Oct 2014 10:35:24 -0400

To read a users name (User.getName()) whitin a script element, I assigned the corresponding permission "UserReadAll" to the role the calling user owned. Nevertheless, ivy reports the Error "The session does not fulfill the permission rule SESSION (MATCHES THIS AND OWNS UserReadOwnName PERMISSION) OR OWNS UserReadName PERMISSION OR OWNS UserReadName@SYSTEM PERMISSION" After that, I added also the permission "UserReadName/UserReadFullName" and then it worked.

What's the difference between "UserReadAll" and "UserReadName"? In my opinion, the "UserReadAll" permission should cover and allow all "Read" operations on a user object.

Is there any documentation which explains the permission concept of ivy? I couldn't find any detailed information about in the documentation section available on the xpert.ivy download area.

Thanks and regards, Stefan

How can I disable Permission checks?

Reto Weiss — Thu, 05 Jun 2014 09:39:21 -0400

I have a process that does some administrative tasks that requires a lot of Axon.ivy permissions. The user that executes the task does not own all of the required permissions.

But I as a process designer know what I do and I want to give the user the possibility to execute the administrative task without the necessary Axon.ivy permissions. I implement the security in the process itself by guarding the process start with a certain role for example.

How can I disable programmatically Axon.ivy Security/Permission checks?

Java blocks Rich Dialog applications and we cannot update

MichaelDänzer — Tue, 20 May 2014 08:11:45 -0400

My customer runs an Xpert.ivy server without the newest patches. Another customer runs an internal Xpert.ivy server and signs the server with a self generated certificate. With the newest JRE versions (1.7.51 and higher) the rich dialogs can no more be executed or do show a lot of security prompts. Is there a way to let these application run again?

How to grant permssions to a user or role in Designer?

Reto Weiss — Fri, 25 Apr 2014 08:46:22 -0400

How can I grant additional permissions to a user or role in Designer? There seems to be no editor to configure that.

How to reset a task back to state SUSPENDED cancelled by the user

Stefan Kressig — Wed, 23 Apr 2014 23:07:42 -0400

(This question belongs to ivy 5.x)

If a user opens a task (which presents a user dialog to him) and then, a little later he cancels the task (exits from user dialog), xpert.ivy finishes this task and set it's state to DONE. In such a case (after cancelling), the Task should go back to the state SUSPENDED it had before the user started it.

I don't want to delete this task and recreate it, so I tried to reset the task by calling the method ivy.task.reset() in a script element after closing the user dialog, but ivy returns the following error message:

"Session 1 (xyz) is not allowed to call method public void ch.ivyteam.ivy.workflow.internal.Task.reset(). The session does not fulfill the permission rule SESSION OWNS TaskReset PERMISSION OR OWNS TaskReset@SYSTEM PERMISSION"

It's no problem to set this rights by the Administration Console, but it's not useful to set this right to all users created in ivy. Is there a way to set the appropriate permission within an ivy script element or is there another doing to reset a task?

Thanks

Has the HeartBleed-Vulnerabilty an impact on Xpert.ivy?

Nikel Weis — Fri, 11 Apr 2014 14:18:04 -0400

Has the HeartBleed-Vulnerabilty an impact on Xpert.ivy?

PermissionDeniedException when calling iUser.getAllRoles()

Tran Cuong Truc — Wed, 26 Feb 2014 05:16:00 -0500

My call to

aUser.getAllRoles();

throws the exception:

PermissionDeniedException: Session 1 (cuongtruc.tran) is not allowed to call method public java.util.List ch.ivyteam.ivy.security.internal.User.getAllRoles(). The session does not fulfill the permission rule SESSION (MATCHES THIS AND OWNS UserReadOwnRoles PERMISSION) OR OWNS UserReadRoles PERMISSION OR OWNS UserReadRoles@SYSTEM PERMISSION

I even tried with grant admin permisson to that user but still throws the same exception.