Page History

...

In a production environment only shortcuts should be used instead of exposed flows. By default, all exposed flows can be started externally. Please read Create a shortcut in the Java Runtime on how to create a shortcut. Disabling starting all exposed flows can be done by setting the blueriq.production.shortcuts-only to true in 

Example in

blueriq.production.shortcuts-only=true

AQ_StartProject

By default shortcuts can be accessed externally via the url (e.q. http://localhost:91/Runtime/server/start/<SHORTCUT_NAME>). When using shortcuts in combination with AQ_StartProject you should be aware that this shortcut can also be accessed externally. To prevent this for from happening, you should set the property privateAccess to true (e.q. (blueriq.shortcut.[name].privateAccess=true). The reason for this is that via the AQ_StartProject, parameters are passed to the shortcut application and are picked up via the AQ_GetRequestParameters service. The AQ_GetRequestParametersdoes  does not distinguish how the way parameters are send. For more information about the way passing parameters are send via the AQ_StartProject, please read AQ_StartProject#Security.

Example shortcut in application.properties

blueriq.shortcut.<SHORTCUT_NAME>.flow=<FLOW>
blueriq.shortcut.<SHORTCUT_NAME>.languageCode=<LANGUAGE>
blueriq.shortcut.<SHORTCUT_NAME>.project=<PROJECT>
blueriq.shortcut.<SHORTCUT_NAME>.theme=<THEME>
blueriq.shortcut.<SHORTCUT_NAME>.ui=<MVC>
blueriq.shortcut.<SHORTCUT_NAME>.version=<VERSION>
blueriq.shortcut.<SHORTCUT_NAME>.privateAccess=true

AQ_GetRequestParameters

 The AQ_GetRequestParameters service is able to retrieve parameters from the URL. You should treat these parameters as "dirty", which means you should validate if these parameters before using them. 

...