As per the BDD Framework documentation:
"Note: When calling a TestSuiteScreen, always make sure that it can be accessed through non-authenticated requests (in Service Studio, set the Anonymous Role in the Web Screen properties.) When the BDDFramework makes a request to get the screen, it will be without authentication and as a result, it won’t work if not set up this way."
I don't like this at all, since it basically means that anyone can access thorough documentation of my client's business logic in the form of BDD test scenarios.
Is there any way to secure the BDD test screens? I should mention that I'm also using the TestFramework developed by Indigo to automate my BDD tests.
Hi,
What about using Internal Network feature (see [1] [2]), would that be an option?
Cheers,
Pedro
[1] https://success.outsystems.com/Documentation/11/Managing_the_Applications_Lifecycle/Secure_the_Applications/Configure_an_Internal_Network
[2] https://success.outsystems.com/Documentation/11/Developing_an_Application/Secure_the_Application/Restrict_Access_to_an_Internal_Network
Hi Johan,
I totally agree with you, that it wouldn't be a viable option.
However, if you do not deploy and run the tests on the production environment, wouldn't this solve your issue?
They would still be readily available on the internet even if they are only published on the dev environment, right?
Of course, the URL would have to be known, so maybe it's far-fetched to assume that this is a problem... still, I feel it's not very elegant to have them out in the open like that!
Yes, this might absolutely be an option!
However, I'm unsure what would happen when the automated TestFramework suite runs, i.e. what IP address it would use?
It should run under the IP of the environment, so I guess it won't be a problem ;)
Ah, of course... :D
So, @Pedro Gonçalves , would a feasible solution be to contact support (this is a cloud environment), ask them to put the dev environment's front end server IP as the "Internal network address", and then set my BDD screens to "Internal access only"?
BTW in the second link it was written, that it is for Traditional Web only (at least the part of setting the property on the Screen itself). So you have to double check that part ;)
Yes, I noticed, that's no problem however, as I'm looking into implementing this on the BDD Framework screens :)
Affirmative, that's what I'm reading in that suggested article. I did this same contact in the past to activate Internal Network but for other reasons, not due to BDD Framework. Believe it was done for those internal reporting screens to be printed to PDF that prior to Platform Server 11 required anonymous access (this is no longer the case, thanks to a recent Forge component).
Ah, totally right
Wonderful then, this is a perfect solution for me. Thank you!