"Allow invocation from browser" checkbox error
Hi,
I am trying to build a custom authentication with 8.6.0. Unlike old version, when I try to do Save As Code-Security.AuthenticationLDAP activity, I get an error "Allow invocation from browser - When enabling invocation from the browser, activities should be secured with a privilege. This is done to ensure that only operators with properly configured access roles can execute the rule.", shown as below.
This error was not thrown in the old version, so I believe there was some security changes in the recent version. Anyways, I turned off the checkbox and I saved the rule. After I modified the web.xml (adding Servlet mapping), I was still able to get custom authentication to work properly. So, actually I did not have to create any priviledge as the error message shows, and still things worked fine.
Is my approach a bad practice? If so, why?
Thanks,
Pegasystems Inc.
JP
We confirmed the same behavior in our customer's project , Privilege feature is usually used for enable/disable some action depending on if the user get the particular privilege or not, means some people could and some people could not.
But in this case, it is an activity which should be could be excuted by anyone, everyone, so I think it is not possible to apply privilege feature to authentication activity here, because the only thing that the system knows is this is a Guest user.