Edit online

Configuring Security Settings

Oxygen XML Web Author includes a built-in mechanism for restricting outgoing network connections. There is a Security page in the Administration Page that provides options for handling security-related features, including an option for specifying trusted code locations and a firewall option where you can choose to restrict access to hosts that are not specified as being trusted.

Trusted Code

By default, Web Author does not load code (such as CSS or Schematron) referenced directly in documents unless it comes from the framework (document type association) or a plugin. However, you can specify code locations to be considered trusted by adding them in the Trusted Code option in the Security section of the Administration Page. The code locations need to be declared with URL patterns, one per line. For example:
*//github.com/*
webdav-https://my-server:8081/repo/*
Note: The location of a resource should be its OXY-URL.
To consider all code as trusted (which is equivalent to disabling this security feature and is not recommended), you can use a wildcard that matches any location:
*

Firewall

It is possible to restrict the domains that the Web Author server is allowed to connect to. The Security page in the Administration Page includes a Firewall section where you can choose to allow all connections or only allow connections to hosts that you specify as trusted. You can specify the hosts to be considered trusted by adding them (one per line) in the Only allow connections to these trusted hosts option. For example:
www.oxygenxml.com:443
*.mycompany.intranet

To allow connections to a domain regardless of the port, you can specify just the domain name. The wildcard character * can also be used, for example, to match any subdomain.

When you choose to Allow All Connections and Log each connection, a log entry will be added for each outgoing connection that contains the [OUTGOING CONNECTION] token. This is useful for monitoring and for determining which domains should be marked as trusted.

Notes:

  • Plugins can specify whether a connection is allowed or denied, regardless of whether or not they are listed in the Security page. For example, the Perforce plugin allows connections to the Perforce server configured in the Administration Page.

    To see which plugins allowed or denied connections, you can activate logging for this kind of events by adding the following line to the log configuration file:
    log4j.category.com.oxygenxml.webauthor.SecurityManager=info

    Lines that correspond to such events contain the token [PLUGIN FIREWALL DECISION].

  • Connections that have no security risks (such as connections to the License Server) are also allowed regardless of the settings in the Security page.