Overview
IM implements several layers of security to protect integrations, credentials, and the Pricefx data they access. All provisioned IM instances run with these protections enabled — they cannot be bypassed or disabled at the instance level.
1. Credential Management — Never Hardcode
The most important rule: credentials must never appear in route XML, mapper files, or any file committed to the Git repository.
Always use property placeholders:
<!-- Correct -->
<to uri="sftp:{{ftp.host}}?username={{ftp.username}}&password={{ftp.password}}"/>
<!-- Wrong — never do this -->
<to uri="sftp:files.example.com?username=admin&password=secret123"/>
Properties with sensitive values are stored encrypted via PlatformManager and injected at runtime. See Encrypting Properties in PlatformManager docs.
2. Groovy Sandbox
All Groovy expressions (in mappers, filters, routes) and classes in classes/ run inside a security sandbox that:
-
Restricts which Java classes and methods can be called — only whitelisted types are permitted
-
Enforces an execution time limit (
integration.groovy-sandbox.timeout, in seconds) — scripts exceeding the limit are aborted withGroovyEvaluationException -
Blocks anonymous inner classes and reflective access to sensitive APIs
-
Is always enabled on provisioned instances and cannot be disabled
See the Groovy Sandbox page for the full whitelist, blacklist, and how to request additions.
3. File System Access Restriction
IM enforces restrictions on which parts of the file system routes can read or write. Scripts and integrations cannot access arbitrary file paths — only permitted directories (inbound/outbound as configured, and the resources/ directory) are accessible.
This prevents routes from reading system files, credentials, or other instance configuration they should not access.
See File System Access Restriction for the full policy.
4. Infrastructure Security
All provisioned IM instances run on managed infrastructure (AWS or GCP):
-
No direct server access — there is no SSH access to the IM host. All management is via PlatformManager.
-
No custom Docker images — only the official IM JAR runs on provisioned instances.
-
Isolated instances — each instance has its own JVM, memory, and CPU. Instances cannot access each other's data or configuration.
-
TLS everywhere — all communication between IM and Pricefx, and between IM and PlatformManager, is encrypted in transit.
-
Regions — instances are deployed in EU or US regions (AWS: eu-central-1 / us-east-1, GCP: europe-west1 / us-central1).
5. Connection Credentials
Connections to external systems (databases, SFTP, REST APIs) are stored as JSON files in connections/ or managed via PlatformManager. Passwords and API keys in connection files are stored encrypted.
Best practices:
-
Use connection definitions (
connection=myConn) rather than embeddingusername=andpassword=inline in URIs -
Rotate credentials via PlatformManager without changing route code
Summary Checklist
|
Rule |
Where it applies |
|---|---|
|
No hardcoded passwords, tokens, or API keys |
Route XML, mappers, application.properties |
|
Use |
Route URIs |
|
Groovy sandbox is always on — test in provisioned environment |
|
|
Do not commit |
Repository |
|
Manage credentials via PlatformManager |
Encrypted properties, connections |
See Also
-
Groovy Sandbox — Whitelist, blacklist, timeout configuration
-
Encrypting Properties — Encrypt sensitive properties in PlatformManager
-
File System Access Restriction — File system access policy