Securing FME Server
From Fmepedia
(http://fmepedia.com/index.php/Category:FME_Server)
This page details possible routes for securing FME Server. Not all scenarios have been considered, so use this advice at your own discretion.
| Table of contents |
Apache Tomcat
It is common to want to restrict access to web applications or certain web pages within. There are a number of ways to do this including: password protection, completely denying access, completely removal, IP filtering, host filtering, etc. Note that some of these options can't be applied to individual pages/paths of the web application (e.g. IP/host filtering).
Pages within a Web Application
Password Protection (Example: administrative web pages)
The FME Server administrative web pages provide the ability to manage and delete repositories. The easiest way to protect this ability, but still allow access is through password protection. Instructions follow.
Add a fmeadmin user and role
- Open the following file in a text editor:
- <Tomcat>/conf/tomcat-users.xml
- Add the following elements to the file just prior to the closing </tomcat-users> element.
<role rolename="fmeadmin"/> <user username="fmeadmin" password="adminfme" roles="fmeadmin"/>
Enable authentication and add the security role and constraint
- Open the following file in a text editor:
- <Tomcat>\webapps\fmeserver\WEB-INF\web.xml
- Add the following elements to the file just prior to the closing </web-app> element.
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>fmeadmin</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>AdminPages</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<url-pattern>/admin</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>fmeadmin</role-name>
</auth-constraint>
</security-constraint>
- Save the file and restart Tomcat.
Entire Web Applications
IP Filtering (Example: SOAP Web Application)
The FME Server SOAP Web Application provides most of the abilities of the standard FME Server API (such as running workspaces, deleting repositories, etc) and as such, its access should be limited. The easiest way to limit access is through IP Filtering. Instructions follow.
Add a Context Object
- Determine the Engine and Host Name for your installation of Tomcat (defaults are 'Catalina' and 'localhost').
- Create the following file and open it in a text editor:
- <Tomcat>\conf\<Engine>\<HostName>\fmesoap.xml
- For default installations: <Tomcat>\conf\Catalina\localhost\fmesoap.xml
- <Tomcat>\conf\<Engine>\<HostName>\fmesoap.xml
- Add the following into the file:
<?xml version="1.0" encoding="UTF-8"?> <Context> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.*.*, 127.0.0.1, 66.119.171.18, 24.86.64.198"/> </Context>
- Change the 'allow' value to include your list of allowable IPs (the first and second values listed above are for IPs issued by an internal router and localhost respectively).
- Save the file and restart Tomcat.
