Web Services Security
This page is intended to explain the security model of Web services
Web Services and their methods are registered in System.
NOTE: You don't need to register this, it is preconfigured in vanilla iDempiere.
Model web services are highly generic - so they need an additional security layer in order to ensure the server security is not compromised.
It's important then to allow fine configuration of the allowed values for each method, this is achieved configuring web service types in a client basis.
Role and User
Firstly is recommended you create a specific role and user (or several) just for the web services, the role must be manual, and you must allow access just to the processes needed. Not windows, not tasks, etc.
Sample - Process Invoice web service
Web Service Types
In web service type you configure types of the generic web services, for example you can configure a web service to call the process that starts the workflow for process invoice.
This web service receives some specific parameters, so we configure here if the parameter can be used freely (Free), or if the parameter must have a constant value (Constant).
And then you must configure the Access to allow execution from the proper web service role:
Sample Create BPartner web service - using Fields input
A more complex configuration must be done for the methods that pass and receive data rows.
In this case you must configure the allowed input columns, and/or the allowed output columns.
Example of methods that receive data row are createData, updateData, queryData.
Example of methods that return data row are readData, queryData, getList.
Web Service Type Using Fields Input
Again, you must configure the Web Service Type. But in this case you need to specify the table associated with the web service:
You also need to configure the constant and free parameters:
And here you must configure the allowed columns to pass in datarow.
This is a really important step, for example allowing modification of the password on user table it can compromise seriously the security of the server.
How to get default parameters ?
Since version 8.1, it is possible to populate the 'Parameters' sub tab using a process (WebServiceTypeCreateParameters).
After you save the main record, just press the "Create Default Parameter" button and see the parameters (with values according to the selected method) on the sub tab.