Prior to 5.7.3, catalog credentials were expected to be in the request sent to Rule Execution Service (RES) via the REST endpoint. Going forward, by default, this will not be allowed and catalog credentials will not be accepted on RES REST requests. Instead, username and password should be added to a config to avoid having to send them in the request. Customers will have the option to toggle this security enhancement off but we do not recommend it.
This can be configured by editing the web.config for the service if its IIS hosted or by editing the app.config if you are windows hosted. It can be configured in the following settings:
<catalog catalogServiceUri="http://localhost/InRuleCatalogService/Service.svc" userName="admin" password="password" allowPerRequestCatalogCredentials="false" />
<!-- specify userName / password to utilize no-credentials client auth. -->
<restRuleApplication path="RuleApps" />
<!-- Absolute path to ruleapps -->
<messagingLimits maxItemsInObjectGraph="2147483647" />
or by adding the following to appSettings
<add key="inrule:runtime:service:catalog:allowPerRequestCatalogCredentials" value="false" />
The default value for allowPerRequestCatalogCredentials is false. This means the RES REST call does not accept catalog credentials on requests. Changing allowPerRequestCatalogCredentials to true would mean no change in behavior after the upgrade.
Please sign in to leave a comment.