Arbortext Publishing Engine Security Framework
Arbortext Publishing Engine includes a security framework that allows every request sent to the Arbortext PE Request Manager to be classified as "disabled", "unrestricted", or "restricted" based on users and groups defined in Apache Tomcat.
• Disabled requests are not processed.
• Unrestricted requests are processed without authentication.
• Restricted requests are only processed if they are submitted by an authenticated user who is a member of a configured security role.
◦ Authenticated requests submitted by other users are not processed.
◦ If a client submits an unauthenticated request, the Arbortext PE Request Manager will reject the request in a way that instructs the client to prompt for an ID and password and resubmit the request. If the client authenticates successfully, and the user is a member of the required role, then the request will be processed.
If a request cannot be processed, the Arbortext PE Request Manager will return an error message in the HTTP response returned to the client. For every request received, the Arbortext PE Request Manager will write a line to an audit file explaining why the request was processed or not processed.
|
|
While enabling the Arbortext Publishing Engine security framework provides a layer of security against improper access to Arbortext Publishing Engine, it should be considered as only one component of your site’s broader security plan.
|
The security framework is enabled, disabled, and configured using entries in e3config.xml. If the framework is disabled, none of the described request processing takes place and the Arbortext PE Request Manager will operate as it did in earlier versions of PE. When installing Arbortext Publishing Engine, the user is prompted to enable the framework. If the user chooses to enable the framework,e3config.xml will be updated accordingly. By default, the framework is disabled.
The security framework makes use of the user ID and role support provided by Apache Tomcat. Tomcat supports defining user IDs, securing each user ID by a password, and mapping each user ID into one or more roles. The Arbortext Publishing Engine security framework makes use of this support to determine whether a restricted request should be processed or rejected.
The following sections detail how to enable and configure the framework, and provide the requirements for configuring Apache Tomcat to work with the Arbortext Publishing Engine security framework.
|
|
You must also ensure that Tomcat is configured in line with current security best practices.
|
