to get started, i think we need to add the upload servlet again without security. but the point is valid and it needs to be fixed. but i only want to do that in 3.2.2 at the earliest one of the ideas we had was to see if we can add authentication to the file upload. even in case we get the http based authentication to work, it still results in an equally big security hole. since we want things to work out of the box, the default unzip installation will have to contain a preconfigured designer with the username and password for process deployment. Then the server, will have the same data in the identity component. a separate web app doesn't seem to be a solution either i think. as it is easier to delete the .war then removing the servlet from the web.xml. BUT... then we have to mess with building the 3 separate wars, both containing the jbpm libs in duplicate. Also we have to mess with the enterprise.ear deployment. Removing the upload servlet from the enterprise ear deployment will be more painfull then just removing the servlet configuration from the web.xml so we have to find a decent solution in 3.2.2, but in the meantime, i would like to have the upload servlet reintroduced to get the suite working again as i want to work my way to releasing 3.2.1. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4049734#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...