Adempiere Web Services Security

From ADempiere ERP Wiki
Jump to navigationJump to search

This page is intended to explain the security model of Adempiere Web Services


Web Service[edit]

First you must register the web services:

01 WebService.png


And then you must register each method from the web service.

02 WebServiceMethod.png


Model web services are highly generic - so they need an additional security layer in order to ensure the server security is not compromised.

It's important then to allow fine configuration of the allowed values for each method, this is achieved configuring web service types in a client basis.

Role and User[edit]

Firstly is recommended you create a specific role and user (or several) just for the web services, the role must be manual, and you must allow access just to the processes needed. Not windows, not tasks, etc.

03 WebServiceRole.png

Sample - Process Invoice web service[edit]

Web Service Types[edit]

In web service type you configure types of the generic web services, for example you can configure a web service to call the process that starts the workflow for process invoice.

04 WebServiceType.png


This web service receives some specific parameters, so we configure here if the parameter can be used freely (Free), or if the parameter must have a constant value (Constant).

05 WebServiceTypeParams.png


And then you must configure the Access to allow execution from the proper web service role:

06 WebServiceTypeAccess.png

Sample Create BPartner web service - using Fields input[edit]

A more complex configuration must be done for the methods that pass and receive data rows.

In this case you must configure the allowed input columns, and/or the allowed output columns.

Example of methods that receive data row are createData, updateData, queryData.

Example of methods that return data row are readData, queryData, getList.

Web Service Type Using Fields Input[edit]

Again, you must configure the Web Service Type. But in this case you need to specify the table associated with the web service:

07 WebServiceType.png

Parameters Allowed[edit]

You also need to configure the constant and free parameters:

08 WebServiceTypeParams.png

Fields Input[edit]

And here you must configure the allowed columns to pass in datarow.

This is a really important step, for example allowing modification of the password on user table it can compromise seriously the security of the server.

09 WebServiceTypeFieldsInput.png