Web Services Security

From iDempiere en

This page is intended to explain the security model of Web services


Web Service

Web Services and their methods are registered in System.

NOTE: You don't need to register this, it is preconfigured in vanilla iDempiere.

01 WebService.png


Model web services are highly generic - so they need an additional security layer in order to ensure the server security is not compromised.

It's important then to allow fine configuration of the allowed values for each method, this is achieved configuring web service types in a client basis.

Role and User

Firstly is recommended you create a specific role and user (or several) just for the web services, the role must be manual, and you must allow access just to the processes needed. Not windows, not tasks, etc.

03 WebServiceRole.png

Sample - Process Invoice web service

Web Service Types

In web service type you configure types of the generic web services, for example you can configure a web service to call the process that starts the workflow for process invoice.


This web service receives some specific parameters, so we configure here if the parameter can be used freely (Free), or if the parameter must have a constant value (Constant).

04 WebServiceType.png


And then you must configure the Access to allow execution from the proper web service role:

06 WebServiceTypeAccess.png

Sample Create BPartner web service - using Fields input

A more complex configuration must be done for the methods that pass and receive data rows.

In this case you must configure the allowed input columns, and/or the allowed output columns.

Example of methods that receive data row are createData, updateData, queryData.

Example of methods that return data row are readData, queryData, getList.

Web Service Type Using Fields Input

Again, you must configure the Web Service Type. But in this case you need to specify the table associated with the web service:

Parameters Allowed

You also need to configure the constant and free parameters:

07 WebServiceType.png

Fields Input

And here you must configure the allowed columns to pass in datarow.

This is a really important step, for example allowing modification of the password on user table it can compromise seriously the security of the server.

09 WebServiceTypeFieldsInput.png

How to get default parameters ?

Since version 8.1, it is possible to populate the 'Parameters' sub tab using a process (WebServiceTypeCreateParameters).

After you save the main record, just press the "Create Default Parameter" button and see the parameters (with values according to the selected method) on the sub tab.

WS ProcessCreateParam01.png

Result :

WS ProcessCreateParam02.png

Cookies help us deliver our services. By using our services, you agree to our use of cookies.