I want to develop my own client to show tasks assigned to logged in user, similar to Personal Tasks in jbpm console. I'm thinking of using rest api exposed by console and developing UI on top of that. Since users will be authenticated while logging into the my portal, I want to disable authentication by the rest api and trust the calls coming from my application. Is my approach correct? If yes, how could I achieve that? I tried removing <security-constraint> from web.xml of jbpm-console, but few rest calls which depend upon session are failing.