Security considerations

This software has been designed to be used as a technical API (used as a middleware) exposed to a limited audience.

The HTTP API exposes a limited set of values from CUCM, some of them are sensitive, in particular the “phone name” (which is the unique identifier of a device on a network).

All methods should be protected by authentication.

Design

This software does not store any data and is completly stateless.

Recommendations

Although the exposed HTTP API is protected by HTTP Basic Auth, it is recommended to use an appropriate firewall configuration to limit the exposure of data.

If all applications using this software are on the same machine, it should be bind to a local interface (see configuration).

Protecting resources

See Dropwizard auth documentation for more details, resources should include a parameter annotated @Auth as shown in the example below.

@GET
public List<Phone> get(@QueryParam("dirn") IntParam dirn, @Auth User user) {