Skip to main content

Architecture

Nextedy products (Risksheet, Powersheet, Gantt, Checklist, Planningboard) are deployed as OSGi bundles inside the Polarion Application Server. They run in the same JVM process as Polarion itself, not as separate services. Each product registers its own REST endpoints within the Polarion server. These endpoints are:
  • Accessible only within the Polarion perimeter — Product endpoints are served by the same web container as Polarion itself. They are not exposed on separate ports or external URLs.
  • Protected by Polarion authentication — Every request to a product endpoint is authenticated through Polarion’s session management. Unauthenticated requests are rejected before reaching product code.
  • Subject to Polarion’s access control — Product endpoints enforce the same project-level and role-based permissions as the rest of Polarion.
Additional security properties:
  • No separate TLS configuration — Product endpoints inherit the server’s TLS settings.
  • No debug interfaces in production — Nextedy products do not include diagnostic endpoints, admin consoles, or debug ports in production builds.

Authentication

Nextedy products delegate all authentication to the Polarion platform. They do not implement their own login mechanism and do not store or manage user credentials. Polarion supports the following authentication methods, all of which work transparently with Nextedy products:
MethodProtocolNotes
Single Sign-OnSAML 2.0, OIDCFederated identity via corporate IdP
Multi-Factor AuthenticationConfigured at IdP levelEnforced before Polarion session starts
Local accountsPolarion built-inUsername/password managed by Polarion admin
LDAP/Active DirectoryLDAP, LDAPSSynchronized or delegated authentication
Nextedy products never see user passwords. They receive the authenticated user context from Polarion’s session management layer.

Authorization

Nextedy products read Polarion’s permission model at runtime to determine what the current user is allowed to see and do. The products cannot bypass or escalate Polarion permissions. Specifically:
  • Project access — If a user does not have access to a Polarion project, Nextedy products will not display data from that project.
  • Work item permissions — Read/write access to work items respects Polarion’s role-based permissions.
  • Field-level access — Custom field visibility and editability follow Polarion’s field configuration.
  • Document permissions — LiveDoc access is governed by Polarion’s document-level permissions.

Session Management

Nextedy products use Polarion’s session management. There are no separate sessions, tokens, or cookies introduced by the products. When a Polarion session expires or is invalidated, the product’s session ends automatically.

Secure Development Practices

Nextedy applies the following practices to product development:
PracticeTool / MethodCurrent Status
Static Application Security Testing (SAST)SonarQube0 critical issues
Open-source vulnerability scanningSnyk0 high/critical vulnerabilities
Functional testingAutomated test suite98% pass rate
Code reviewPeer review on all changesRequired before merge
Dependency managementCentralized BOM, continuous scanning52 third-party components tracked
All security findings are triaged before each release. Critical and high findings must be resolved before a release is approved.
Last modified on July 10, 2026