• By default the Arbortext Publishing Engine security framework divides all of the requests that Arbortext Publishing Engine processes into 2 classes: administrative and non-administrative. The former processes are restricted, the latter are unrestricted. The framework can be made more precise by adding additional security constraints that are more finely grained; matching individual f=acl requests, f=java requests, an so on, rather than matching all requests.

• Some requests that Arbortext Publishing Engine supports should not be made restricted, because they are submitted by client programs that cannot process requests for IDs and passwords. For Arbortext Publishing Engine composition (in which Arbortext Editor submits publishing requests to the Arbortext PE Request Manager, the following requests must remain unrestricted:

• For composition requests from the WVS Arbortext Publishing Engine Worker, the following request must remain unrestricted:

• For composition requests from the Windchill Service Information Manager Worker (also called the SIS Worker), the following request must remain unrestricted:

• Be aware that, in addition to the controlling the security framework, the e3config.xml file restricts the ACL, APP, Java, JavaScript, and VBScript PE applications that can run.

• Besides configuring Arbortext Publishing Engine, several items can be configured in Apache Tomcat by modifying web.xml or Tomcat's servlet.xml.

◦ Enable HTTPS with or without client-side certificate authentication

◦ Disable HTTP so that only HTTPS requests are accepted

◦ Control how session IDs are managed

◦ Session timeouts

◦ The authentication method used

◦ How cookies are used

◦ Additional security roles