Passing the username/pwd in the REST API URL

I saw that you have to pass the username and pwd w/in the GET parameters after the ‘?’. That is a bad practice to do. If on JBoss you turn on logging of query
params then you log user/pwd within the web server logs which is not good.

Is there a way to do something else with this on the Agiloft end to fix that
security issue?

I see a discussion from the developers about the possibility of implementing JSON Web Token as an option for encrypting the credentials of the REST API.

If the username is going to be constant, then you may retrieve the encrypted hotlink by downloading a sample HTML API client form through Setup table -> API -> Download HTML. The “$genhotlink” and “$genproject” values from it could then be used in regular REST API calls.

An example encrypted REST API call follows:-
https://beta.agiloft.com/ewws/EWCreate/.json?$genhotlink=vDbeca8O46MDO16cz/pOuZRP/k5EVZtrFUi6EhpwOL5qT2n3nE9WoYK3ndzN/FfcmJMeBjIFNFtxyYB6JUYTXEaup+6GTVnh/dtLrfojvF86XFx1Mjg83h77F3rwCUF/higOEff/i1ObTWhpsfbR6wfHmVl7f+BwiZBbqMbyCpeGlQZ07qW033gvDMnbo7U4vLseDKc34bacbtLNNbnPc+bbmlm/D0hxnZiHta4rXtG4aWTPrVXBWzwSHsKH+BJcEp8SjT8L1RMzoeA0VCbH6OrFBzVJuw/puhJ5gq4sBQ66Pj7LdxVEzZVDJyon+RKo7zcs6AKtzjzkrkd1ks4MdD+uERemfnIfkfgureFLqe7TJ3pmv4+wUC/gilhvFCJvJ0jRXjtPYUEo5+1XsgLJTv6imlilKQn4avgEMi4yACLmyemPdbeQtcRmK4UpnvmNDtJcfQHrwSaKaD+mmKTSRy1fwYMT0LXObJrzuWSasOHWyMkwaAWvT03c0Djvia8fYOmdmeCuNYfC5bPj7ySTUkoG13PKO4y4uBS+4lvCP74ft/ZGn/7tEfYhTjpCFvWERVMpK6ugao17qa7k1O72kl8YWYCwxn8/LO7zguFi/CUBoAxRtZNr5sTCfNduYmRfSFkaVI7Q/rjdfIicAE0KXEvp8D8kZDIjXDFmDqf8mSU=&$genproject=Demo_2017&summary=test1

According to Alex, this is not a security issue because:-

  1. We don’t log passwords in Jboss
  2. The client needs to use POST instead of GET requests.

We will probably be adding support for OAuth 2 as well but as it currently stands, it is not a security concern.