The Mendix July Release: RESTful APIs across the Mendix App Platform, advanced security settings, and more

Skip Navigation

The Mendix July Release: RESTful APIs across the Mendix App Platform, advanced security settings, and more

/ August 11, 2014

Sometime we launch a major new feature with some marketing buzz and fanfare; other times, new features get pushed out one by one as soon as they are available. Today, I’d like to discuss some great new features that have been added one by one over the past few months. While these features may not generate a lot of marketing buzz, I think they are actually really awesome enhancements that improve usability and integration of Mendix in the enterprise.

It’s an API world

We live in an API world, which is great for developers. There are no limits on building new, creative solutions on top of existing APIs. Mendix has always been part of this from day one. Every application built using the Mendix App Platform has powerful API options and every element of the application model can be easily provided as part of the API (via SOAP or REST).

I believe the openness and extensibility of our platform is one of our key success factors. For example, the API of our Business Server makes extending your application model with Java a breeze and our Web Client API has resulted in a lot of App Store content in the form of rich UI extensions. Today, I’d like to highlight more of our APIs, especially our RESTful APIs, that have been added over the past months. You can start exploring our APIs here.


Before diving into the details, a short note on authentication and authorization. All API calls are executed with the rights of the user account that you use to authenticate (this can be your own user or you can create a separate API user). On your user profile page, there is a tab page “API keys” that you can use to generate API keys. The best practice here is to use different API keys for different systems that use the APIs so that you can revoke them independently in case of misbehavior. Read the documentation for more information.

Let’s look at some example use cases of our APIs.

APIs that enable continuous integration for public cloud and on-premise customers

Our Build API can be used to start a build based on a version of the application model in the Team Server. You can poll for the status and download the deployment package once the build is finished. This makes it easier for our on-premise users to do continuous integration. Just execute a nightly build, download the deployment package and deploy it on your own servers to run tests.

For users of our public cloud, we provide a complete Deploy API. Through this API, you can get the status of your cloud environments and sandboxes and configure and deploy new application versions. With this API in combination with the previously mentioned build API, you can setup continuous integration in our public cloud. Just start a build for the last committed revision, deploy it into a sandbox or test environment and run your tests! Here is an example Windows Powershell script that does exactly this.

APIs that enable identity management integration and Single Sign-On

The User Management API can be used to connect our platform with your (on-premise) identity management solution. There is an example connector available in our App Store that uses this API to synchronize users and security groups with an LDAP environment. The beauty of this approach is that you can basically integrate with any protocol in a fairly straightforward way.

You can also do it the other way around: use the identity provider in the Mendix App Platform in your non-Mendix apps. The Mendix App Platform can act as an OpenID provider as described here.

Security groups to simplify permission management

As we onboard large enterprises on our platform on a regular basis, the number of users per company is growing fast. That’s why we introduced security groups for companies. Security groups can be managed by company administrators; they can group people and grant them permissions at once (e.g. access to applications with a certain user role). These groups can also be managed via our User Management API and therefore make the integration with 3rd-party identity managers much easier.

SAML integration

If all these authentication and authorization improvements aren’t enough for you, we also released a SAML add-on in our App Store. This module allows you to use SAML to authenticate your users in your cloud or on-premise application and can communicate with any identity provider that supports SAML 2.0 or Shibboleth.

Beautiful paths for published REST services

You can also find an updated version of our REST add-on in the App Store. This version is, of course, strongly influenced by our work on our own APIs, but as the add-on is completely open source, you can contribute as well! Error handling has been improved and you can use path patterns for published services. For example:{groupId}/users/{userId}. The variable parts can be mapped on the input parameters of the published microflow. It is easier than ever to create truly RESTful APIs.

Advanced security settings for public cloud apps

July2We know how important security is for our enterprise customers. On top of all the security measure you may already be familiar with, take note of these recent configuration options:

  • X-Frame: your application can be embedded in another site using an IFrame. To prevent this, you can deny embedding using this setting. This will set an X-Frame-Options header for each HTTP response from your app. Disallowing embedding is the recommended way to prevent clickjacking.
  • IP filters: you can deny all access to your app except for one or more whitelisted IP ranges.
  • Certificate based authentication: you can deny all access to your app except for users having the right certificate. This setting can be combined with the previous one.

All these settings can be self-service configured in the network settings of the app details page.

And more

July3Apart from all this cool new stuff, we also put a lot of effort in improving our existing functionality. Just have a look at the release notes to see how many of your tickets have been processed!

The icing on the cake is a small but useful feature for our Business Modeler users: the UI editors can now visualize for which page elements custom styling properties (Class, Style) are set. Clicking the new ‘Show styles’ button on the toolbar will enable this feature. We know that designers will be happy with this!

Copy link