Configuring Security Settings
Oxygen XML Web Author includes a built-in mechanism for restricting outgoing network connections. There is a Security tab in the Administration Page that provides options for handling security-related features, including an option for specifying trusted code locations and a firewall option where you can choose to restrict access to hosts that are not specified as being trusted.
Security Options
The Security tab in the Administration Page includes a Security Options section with the following options:
- Security Options
-
- Application authentication provider
- Use this option to activate application-level authentication to only allow authenticated users access to the application. This will significantly enhance the application's security, protecting against potential attacks (e.g. denial-of-service attacks). The possible selections are GitHub, GitLab, or GitLab Enterprise, but it is important to note that they are only available if configured. See Integrating Web Author with Git (GitHub, GitLab, Bitbucket) for configuration details.
- Reject invalid security certificates
- If selected, HTTPS connections with invalid certificates will be rejected. If not selected, security certificates are accepted, even if they are invalid.
- Use the "Secure" attribute for the session cookie
- If selected, the "Secure" cookie attribute will be added on the session
cookie. This means that the browser will only send the session cookie over HTTPS
(if enabled).CAUTION: Do not enable this option unless Web Author is accessed only over HTTPS.
- Use HTTP Strict Transport Security (HSTS)
- If selected, the Strict-Transport-Security header that makes browsers access
the application's domain will be set using only HTTPS protocol (including
subdomains).Warning: Do not set this option unless all the applications hosted on the DNS domain where Web Author is hosted, and the applications on the subdomains of this domain, are hosted only over HTTPS. Applications that use HTTP instead of HTTPS and are hosted on the DNS domain of Web Author and its subdomain will not work for Web Author users after you enable this setting.
Trusted Code
*//github.com/*
webdav-https://my-server:8081/repo/*
*
Firewall
www.oxygenxml.com:443
*.mycompany.intranet
To allow connections to a domain regardless of the port, you can specify just the domain
name. The wildcard character *
can also be used, for example, to match any
subdomain.
If the Allow All Connections and Log
each connection options are enabled, a log entry will be added for each
outgoing connection that contains the [OUTGOING CONNECTION]
token. This is
useful for monitoring and for determining which domains should be marked as trusted.
-
Plugins can specify whether a connection is allowed or denied, regardless of whether or not they are listed in the Security tab of the Administration Page. For example, the Perforce plugin allows connections to the Perforce server configured in the Administration page.
To see which plugins allowed or denied connections, you can activate logging for this kind of events by adding the following line to the log configuration file:log4j.category.com.oxygenxml.webauthor.SecurityManager=info
Lines that correspond to such events contain the token
[PLUGIN FIREWALL DECISION]
. - Connections that have no security risks (such as connections to the License Server) are also allowed regardless of the settings in the Security tab of the Administration Page.