Arbortext Publishing Engine Security Framework
Arbortext Publishing Engine includes a security framework that allows every request sent to the Arbortext PE Request Manager to be classified as "disabled", "unrestricted", or "restricted" based on users and groups defined in Apache Tomcat.
• Disabled requests are not processed.
• Unrestricted requests are processed without authentication.
• Restricted requests are only processed if they are submitted by an authenticated user who is a member of a configured security role.
◦ Authenticated requests submitted by other users are not processed.
◦ If a client submits an unauthenticated request, the Arbortext PE Request Manager will reject the request in a way that instructs the client to prompt for an ID and password and resubmit the request. If the client authenticates successfully, and the user is a member of the required role, then the request will be processed.
• The users with the pe-user role can view the status of a specific transaction.
• The users with the pe-user role can connect Arbortext Editor with Publishing Engine and publish from Arbortext Editor, and the pe-admin role is not required.
If a request cannot be processed, the Arbortext PE Request Manager will return an error message in the HTTP response returned to the client. For every request received, the Arbortext PE Request Manager will write a line to an audit file explaining why the request was processed or not processed.
|
The Arbortext Publishing Engine security framework provides a layer of security against improper access to Arbortext Publishing Engine, it should be considered as only one component of your site’s broader security plan.
|
The security framework is enabled by default and can be disabled, and configured using entries in e3config.xml. If the framework is disabled, none of the described request processing takes place and the Arbortext PE Request Manager will operate as it did in earlier versions of PE. By default, the framework is enabled.
Configuring Form-Based Authentication
If the security framework is enabled, the login page appears. To use custom login pages, it is required to update the PE web.xml file to specify both the login page and the login error page.
These are the configuration settings for the sample authentication html files that are provided:
<login-config> <auth-method>FORM</auth-method> <realm-name>PTC Arbortext Publishing Engine</realm-name> <form-login-config> <form-login-page>/e3login.html</form-login-page> <form-error-page>/e3login-failed.html</form-error-page> </form-login-config> </login-config>
The security framework makes use of the user ID and role support provided by Apache Tomcat. Tomcat supports defining user IDs, securing each user ID by a password, and mapping each user ID into one or more roles. The Arbortext Publishing Engine security framework makes use of this support to determine whether a restricted request should be processed or rejected.
The following sections detail how to enable, disable and configure the framework, and provide the requirements for configuring Apache Tomcat to work with the Arbortext Publishing Engine security framework.
|
You must also ensure that Tomcat is configured in line with current security best practices.
|
Default Actions for the User Roles
The default e3config.xml file defines certain actions that require “pe-user” role and certain actions require “pe-admin” role.
For example, the users with the “pe-user” role can connect to Publishing Engine and submit publishing jobs. The users with this role can also view the status of a specific transaction. The “pe-admin” role is required to view the full list of transactions or to view a full Publishing Engine status listing.