App Architecture
Nextedy Apps (Risksheet, Powersheet, Gantt, Checklist, PlanningBoard) are deployed as OSGi bundles inside the Polarion Application Server. They run in the same JVM process as Polarion itself, not as separate services. Each app registers its own REST endpoints within the Polarion server. These endpoints are:- Accessible only within the Polarion perimeter — App endpoints are served by the same web container as Polarion itself. They are not exposed on separate ports or external URLs.
- Protected by Polarion authentication — Every request to an app endpoint is authenticated through Polarion’s session management. Unauthenticated requests are rejected before reaching app code.
- Subject to Polarion’s access control — App endpoints enforce the same project-level and role-based permissions as the rest of Polarion.
- No separate TLS configuration — App endpoints inherit the server’s TLS settings.
- No debug interfaces in production — Nextedy Apps do not include diagnostic endpoints, admin consoles, or debug ports in production builds.
Authentication
Nextedy Apps delegate all authentication to the Polarion platform. They do not implement their own login mechanism and do not store or manage user credentials. Polarion supports the following authentication methods, all of which work transparently with Nextedy Apps:| Method | Protocol | Notes |
|---|---|---|
| Single Sign-On | SAML 2.0, OIDC | Federated identity via corporate IdP |
| Multi-Factor Authentication | Configured at IdP level | Enforced before Polarion session starts |
| Local accounts | Polarion built-in | Username/password managed by Polarion admin |
| LDAP/Active Directory | LDAP, LDAPS | Synchronized or delegated authentication |
Authorization
Nextedy Apps read Polarion’s permission model at runtime to determine what the current user is allowed to see and do. Apps cannot bypass or escalate Polarion permissions. Specifically:- Project access — If a user does not have access to a Polarion project, Nextedy Apps will not display data from that project.
- Work item permissions — Read/write access to work items respects Polarion’s role-based permissions.
- Field-level access — Custom field visibility and editability follow Polarion’s field configuration.
- Document permissions — LiveDoc access is governed by Polarion’s document-level permissions.
Session Management
Nextedy Apps use Polarion’s session management. There are no separate sessions, tokens, or cookies introduced by the apps. When a Polarion session expires or is invalidated, the app session ends automatically.Secure Development Practices
Nextedy applies the following practices to app development:| Practice | Tool / Method | Current Status |
|---|---|---|
| Static Application Security Testing (SAST) | SonarQube | 0 critical issues |
| Open-source vulnerability scanning | Snyk | 0 high/critical vulnerabilities |
| Functional testing | Automated test suite | 98% pass rate |
| Code review | Peer review on all changes | Required before merge |
| Dependency management | Centralized BOM, continuous scanning | 52 third-party components tracked |