Securing the HPI adminstrator pages - tsgrp/HPI GitHub Wiki

Below is an explanation of a few tools available to secure the HPI admin and their implications against Dctm, Alfresco, Hadoop and Solr instances of HPI.

Group-Based Admin Security

By default, Application Config in the HPI admin allows you to configure which group or groups have access to the admin section of HPI.

This feature will only work for Documentum, Alfresco or Hadoop based HPI instances.

Denied Groups

Any repository groups defined under this list will be denied access to the administrator pages.

Allowed Groups

Any repository groups defined under this list will be able to access to the administrator pages. To add more allowed groups into the admin pages, simply drag and drop groups from the denied list to the allowed list. Note, that if no repository groups are defined in this list, no users will see the Admin button in the HPI header.

Additional Security - Secure the Admin URL

In some cases, the default group-based security is not sufficient for the application needs. For example, Solr as an HPI back end does not support groups or users. In most cases, this is not sufficient since any user could just guess the admin URL and access the HPI admin.

To alleviate this issue, HPI has the capability to secure the admin pages with a URL with username and password credentials by toggling the "Secure Admin URL" slider in Application Config to "True". Anytime an unverified user attempts to access HPI's admin pages, he/she will be prompted for the admin authentication credentials. These credentials are defaulted in OpenContent, but can be overwritten for any HPI project by following these steps:

  1. In the OpenContent project folder, find or create a file called "project-placeholders.properties" in the classes directory.
  2. Here, define the variables hpi.securedAdminUsername and hpi.securedAdminPassword with a username and password of choice to secure the HPI admin. The value for the password must be TSG encrypted before it is placed in this file.
  3. Once you build your project you should be able to use these credentials to log in to the HPI admin.

Additional Security for Solr

If you would like even more security for a Solr HPI instance, an additional step that some clients take is to lock down the hpi config files at the file system level. To do this, find the root folder for HPI configs, and remove access for any user to make updates.

Of course, with this approach you would need to allow access for the time window where an HPI administrator can make changes before locking down access again.