Configuring Arbortext Publishing Engine > Configuring Arbortext Editor to Use Arbortext PE server > Arbortext Publishing Engine Security Framework > Customizing the Security Framework
  
Customizing the Security Framework
When customizing the Arbortext Publishing Engine security framework, be aware of the following items.
By default the Arbortext Publishing Engine security framework divides all of the requests that Arbortext Publishing Engine processes into 2 classes: administrative and non-administrative. The former processes are restricted, the latter are unrestricted. The framework can be made more precise by adding additional security constraints that are more finely grained; matching individual f=acl requests, f=java requests, an so on, rather than matching all requests.
Some requests that Arbortext Publishing Engine supports should not be made restricted, because they are submitted by client programs that cannot process requests for IDs and passwords. For Arbortext Publishing Engine composition (in which Arbortext Editor submits publishing requests to the Arbortext PE Request Manager, the following requests must remain unrestricted:
f=java class=com.arbortext.e3ci.Application
f=java class=com.arbortext.e3c.Application
f=qt-cancel
f=qt-discard
f=qt-list
f=qt-retrieve
The final four f=qt- functions are only required if Arbortext Editor is submitting QUEUED transactions. If your site doesn't use queuing, you can restrict these four functions and disable queuing by setting the parameter com.arbortext.e3.queueCompositionOperations to never.
For composition requests from the WVS Arbortext Publishing Engine Worker, the following request must remain unrestricted:
f=java class=com.arbortext.ptc.windchill.Compose
For composition requests from the Windchill Service Information Manager Worker (also called the SIS Worker), the following request must remain unrestricted:
f=acl function=main::composeSisPE
Be aware that, in addition to the controlling the security framework, the e3config.xml file restricts the ACL, APP, Java, JavaScript, and VBScript PE applications that can run.
Besides configuring Arbortext Publishing Engine, several items can be configured in Apache Tomcat by modifying web.xml or Tomcat's servlet.xml.
In servlet.xml, you can configure the following items.
Enable HTTPS with or without client-side certificate authentication
Disable HTTP so that only HTTPS requests are accepted
Control how session IDs are managed
For more information, refer to the documentation provided for Tomcat by the Apache Software Foundation.
In web.xml, you can configure the following items.
Session timeouts
The authentication method used
How cookies are used
Additional security roles
For more information, refer to the Java Servlet Standard.
* 
You must also ensure that Tomcat is configured in line with current security best practices.
The standard user requests referring to content created or owned by specific users now require authentication to validate the user is authorised to view such content. This makes use of a new rule test-editor-userid, which may be used for validating a user’s ID that matches the criteria of a request. These two rules, the updated user-requests and test-editor-userid can be updated by administrators to register permissions for Publishing Engine user requests.
For more information on authentication, see Enabling and Disabling the Security Framework.
Disabling HTTPS
HTTPS is enabled by default in an Arbortext Publishing Engine installation. To disable it, edit web.xml and remove the following section:
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
</security-constraint>
For more information about setting up Apache Tomcat using HTTPS, refer to the topic ‘SSL/TLS Configuration’ from the documentation provided for Tomcat by the Apache Software Foundation.