Alfresco Security Best Practices

Guide
Alfresco Security Best

Practices

Copyright 2014 by Alfresco and others.

Information in this document is subject to change without notice. No part of this document
may be reproduced or transmitted in any form or by any means, electronic or mechanical, for
any purpose, without the express written permission of Alfresco. The trademarks, service
marks, logos, or other intellectual property rights of Alfresco and others used in this
documentation ("Trademarks") are the property of Alfresco and their respective owners. The
furnishing of this document does not give you license to these patents, trademarks, copyrights,
or other intellectual property except as expressly provided in any written agreement from
Alfresco.
The United States export control laws and regulations, including the Export Administration
Regulations of the U.S. Department of Commerce, and other applicable laws and regulations
apply to this documentation which prohibit the export or re-export of content, products,
services, and technology to certain countries and persons. You agree to comply with all export
laws, regulations, and restrictions of the United States and any foreign agency or authority and
assume sole responsibility for any such unauthorized exportation.
You may not use this documentation if you are a competitor of Alfresco, except with Alfresco's
prior written consent. In addition, you may not use the documentation for purposes of
evaluating its functionality or for any other competitive purposes.
This copyright applies to the current version of the licensed program.
ii
Document History
VERSION
DATE
AUTHOR
DESCRIPTION OF CHANGE
0.1
23-Jul-14
Toni de la Fuente
Initial version
0.2
16-Sept-14
Toni de la Fuente
Version to review
0.3
18-Sept-14
Toni de la Fuente
Added Steve Rigby and Pete

Philips suggestions
0.4
23-Sept-14
Toni de la Fuente
Added architecture info and

made corrections. Sent to
grammar review.
0.5
2-Oct-14
Toni de la Fuente
Added Martin Kappel corrections
0.6
2-Oct-14
Toni de la Fuente
Made Kimberly Watson grammar

and style corrections
1.0
2-Oct-14
Toni de la Fuente
Version to release
iii
Table of contents
INTRODUCTION ............................................................................................................................. 1
AUDIENCE .......................................................................................................................................... 1
RELATED PUBLICATIONS ..................................................................................................................... 1
HOW TO READ THIS GUIDE.................................................................................................................. 2
DISCLAIMER AND SCOPE ..................................................................................................................... 2
ALFRESCO SECURITY POLICY ............................................................................................................. 2
Release of Security Notifications .................................................................................................................................... 3
Severity Levels ............................................................................................................................................................... 3
Reporting a Security Issue to Alfresco ........................................................................................................................... 4
COMPONENTS TO CONSIDER ............................................................................................................... 4
THE EXTERNAL AND INTERNAL PERSPECTIVE......................................................................... 5

EXTERNAL THREATS ........................................................................................................................... 5
Discovery, Information Gathering and Information Leaks .............................................................................................. 5
Brute Force Username and Passwords Attacks ............................................................................................................. 7
MITM Attacks ................................................................................................................................................................. 8
DOS and DDOS ............................................................................................................................................................. 8
Viruses ........................................................................................................................................................................... 9
VULNERABILITIES ASSESSMENT ........................................................................................................... 9
Public Vulnerabilities ...................................................................................................................................................... 9
Other Vulnerabilities ..................................................................................................................................................... 10
HARDENING THE NETWORK AND OPERATING SYSTEM ........................................................ 11

NETWORK ........................................................................................................................................ 11
OS SECURITY .................................................................................................................................. 11
CONFIGURING YOUR FIREWALL ......................................................................................................... 12
Inbound Ports ............................................................................................................................................................... 12
Outbound ports ............................................................................................................................................................. 13
Port Redirect ................................................................................................................................................................ 14
DETERMINING MINIMUM PRIVILEGES .................................................................................................. 14
ALFRESCO IMPLEMENTATION BEST PRACTICES ................................................................... 15

STAY CURRENT ................................................................................................................................ 15
DON NOT RUN THE APPLICATION SERVER AS ROOT ........................................................................... 15
REPOSITORY LEVEL SECURITY .......................................................................................................... 15
Enable SSL .................................................................................................................................................................. 15
Understanding Roles and Permissions ........................................................................................................................ 19
Custom Roles ............................................................................................................................................................... 20
Audit ............................................................................................................................................................................. 20
Reset Admin Password ................................................................................................................................................ 22
Ticket Session Duration Control ................................................................................................................................... 22
Disable Unneeded Services ......................................................................................................................................... 23
Disable Guest User ...................................................................................................................................................... 23
Review Sever Logs Periodically ................................................................................................................................... 23
Change JMX Default Credentials ................................................................................................................................. 24
Get Control of Deleted Content .................................................................................................................................... 24
Node Creation .............................................................................................................................................................. 24
Node Deletion ............................................................................................................................................................... 24
Questions and Answers About Content Deletion ......................................................................................................... 26
Wipe Content ................................................................................................................................................................ 28
SHARE LEVEL SECURITY ................................................................................................................... 28
Cross-Site Request Forgery (CSRF) Filters in Alfresco Share .................................................................................... 28
Security Filters and Clickjacking Mitigation in Alfresco Share ...................................................................................... 29
Iframes and Phishing Attack Mitigation in Alfresco Share ............................................................................................ 29
Share HTML Processing Black/White List .................................................................................................................... 29
Site Creation Control .................................................................................................................................................... 30
Filter Document Actions by User or Role ..................................................................................................................... 30
Filter workflow by role/group ........................................................................................................................................ 32
Change default Share session timeout ........................................................................................................................ 32
iv
ARCHITECTURE DEPLOYMENT BEST PRACTICES ................................................................. 33

Frontends ..................................................................................................................................................................... 33
Single tier ..................................................................................................................................................................... 34
Two tiers ....................................................................................................................................................................... 35
Three tiers .................................................................................................................................................................... 36
AWS deployments ........................................................................................................................................................ 37
BACKUP AND DISASTER RECOVERY ................................................................................................... 38
MOBILE SECURITY ...................................................................................................................... 39

FILE PROTECTION ............................................................................................................................ 39
HTTPS ........................................................................................................................................... 39
CERTIFICATE AUTHENTICATION ......................................................................................................... 39
MDM .............................................................................................................................................. 39
Alfresco for Good (iOS) ................................................................................................................................................ 39
MobileIron (Android) ..................................................................................................................................................... 39
Additional information ................................................................................................................................................... 40
SECURITY COMPLIANCE AND STANDARDS............................................................................. 41

DOD5015.2 .................................................................................................................................... 41
OWASP.......................................................................................................................................... 41
HIPAA ............................................................................................................................................ 43
FISMA ............................................................................................................................................ 44
FEDRAMP ...................................................................................................................................... 44
ISO 27001 ...................................................................................................................................... 44
PCI DATA SECURITY STANDARD ....................................................................................................... 44
APPENDIX I: SECURITY CHECKLIST .......................................................................................... 46
APPENDIX II: THIRD PARTY LIBRARIES INCLUDED IN ALFRESCO .......................................... 1
Alfresco Security Best Practices
Introduction
This guide is intended to fill a need for Alfresco administrators to have a collection of tips for
enhancing the security of their implementation. If you are concerned about the security of
your content, this guide is specifically written for you.

This guide addresses the security of an Alfresco implementation from two different views:
Threat view: We will identify how a potential attacker could exploit security issues with
the installation;
Administrator view: We will discuss how an administrator can prevent and protect an
installation.
Audience
This document is intended for the Alfresco Enterprise customer and partner network with
special focus on technical teams, such as Enterprise Architecture, Development, Support, and
Operations. As it requires a deep understanding of the architecture, components, and
technologies involved in the operations of the Alfresco platform. The ideal reader should hold
an Alfresco Certified Engineer (ACE) or Alfresco Certified Administrator (ACA) certification.
More details on the certifications can be found at http://university.alfresco.com.
Related Publications
For some recommendations an official link will be provided. Furthermore here is a list of source
of information related to Alfresco and this guide:
Alfresco Security Policy1
Alfresco Cloud Security Policy2
Alfresco in the Cloud Security White Paper3
Alfresco Backup and Disaster Recovery White Paper4
Alfresco Security Best Practices talk in Alfresco Devcon 20125
http://docs.alfresco.com/support/concepts/su-external-security-policy.html
http://docs.alfresco.com/support/concepts/su-external-security-policy-cloud.html
http://www2.alfresco.com/l/1234/2012-08-07/374w8d/1234/151131/Alfresco_in_the_cloud_Security.pdf
http://bit.ly/1lvNkcz
http://bit.ly/1rBtOme
How to Read this Guide

This guide tries to accommodate two needs: (1) having a handy reference on how to secure the
most common services and subsystems in Alfresco and (2) providing some background on
Alfresco security. Understanding the Alfresco internals is essential if the reader wants to
achieve a proper application hardening.
Most of the advice and best practices included in this guide are based on Alfresco One version
4.2.
Disclaimer and Scope

This guide specifically does not address physical security, the protection of software and
hardware against new exploits, basic IT security housekeeping, information assurance
techniques, traffic analysis attacks, issues with key rollover and key management, securing
client PCs and mobile devices (theft or loss), proper Operations Security, social engineering
attacks, protection against tempest attack techniques, jamming the encrypted channel or other
similar attacks, which are typically employed to circumvent strong encryption.
Alfresco Security Policy

When a security issue is discovered, Alfresco will do the following:
1. Send it directly to the subject matter expert to evaluate the scope and severity of the
issue;
2. Issue one or more versions, whatever is required, to resolve the security breach as soon
as possible;
3. Inform our customers and partners that this version is available.

The version(s) where a particular security issue is resolved will depend on the scope and
severity of the issue, and may include:
1. A maintenance release for the last major version;
2. A hot fix for the last major versions;
3. Hot fixes for older maintained versions.

Example 1: A security issue is discovered in Alfresco v4.1.2, which is unlikely to be exploited.
Alfresco will:
Ensure that the next release, Alfresco 4.1.3, fixes the issue.

Example 2: A security issue is discovered in Alfresco v4.1.2, which could be exploited. Alfresco
will:
Issue a hot fix for Alfresco v4.1.2 as soon as possible;
Issue a hot fix for Alfresco v3.4, if applicable, as soon as possible;
Ensure the next release, Alfresco v4.1.3, fixes the issue.

Example 3: A security issue is discovered in Alfresco v4.1.2, which is being exploited. Alfresco
will:
Issue a hot fix for Alfresco v4.1.2 as soon as possible;
Issue a hot fix for Alfresco versions 3.0, 3.1, 3.2, 3.3, 3.4 and 4.0 as soon as possible;
Ensure the next release, Alfresco v4.1.3, fixes the issue.
Release of Security Notifications

When a security issue in an Alfresco product is found and fixed, Alfresco notifies customers in a
number of ways:
If this is a blocker issue with a workaround, Alfresco sends a critical security alert email
to all customers warning of the issue and providing the workaround. A second critical
security alert will then be sent which includes details for the fixed version(s).
If this is a blocker issue without a workaround, Alfresco releases the version containing
the fix and then sends a critical security alert email to all customers.
For all other severity issues, Alfresco releases the version containing the fix and then
sends a security alert email to all customers.
For all issues, there will be a security notice posted within the support portal at the same time
the version with the fix is released.
Severity Levels
Alfresco classifies security vulnerabilities by severity, on a case by case basis, using common
sense and the examples shown here as a guideline.
High
A vulnerability is classified as High severity if any of the following hold true:
Customer data can be compromised;
The server running the application can be compromised;
A Denial of Service (DoS) rendering the system unavailable;
The vulnerability was discovered externally, is known about externally, or is being
actively exploited.

Medium
A vulnerability is classified as Medium severity if any of the following hold true:
It would otherwise be High severity but it was discovered internally and/or is not
believed to be known externally;
It is a less serious vulnerability such as a XSS or CSRF.

Low
A vulnerability is classified as Low severity for vulnerabilities which only pose a marginal
or insignificant risk.

3
NOTE: Alfresco has an internal SLA to resolve vulnerabilities based on the severity classification
mentioned above.
Reporting a Security Issue to Alfresco

Please report all security issues by logging a support case via the support portal. If you do not
have access to the support portal, please email support@alfresco.com to ensure that the
information is reported to Alfresco. This is essential so that the security issue does not enter
into the public domain prematurely.
Components to Consider
As has been stated above in this document, there are different components that may affect
application security. Below is a list of components that need to be considered, from the physical
environment to the software:

1. Facilities;
2. Physical security;
3. Network infrastructure;
4. Virtual and/or physical infrastructure;
5. Network configuration;
6. Firewall;
7. Operating System;
8. JVM and Application Server;
9. Alfresco;
10. People;
11. Process.

This guide mostly deals with Alfresco security. Additional security tips and guidelines are
included for components that are directly related to Alfresco security and maintenance, such as
JVM, and application server, operating system, and firewall security.
The External and Internal Perspective

External Threats
If an Alfresco installation is exposed to the Internet it could potentially be the target of different
types of attacks. In this section we list activities that can be used by an attacker to discover
information pertaining to an Alfresco installation. For example, this information might include
the application server, operating system and content items.
Discovery, Information Gathering and Information Leaks

Before performing an intrusion, an attacker may need to gather target information in order to
enumerate devices, hostnames, domains or subdomains, ports, protocols, services, applications
and even usernames or passwords.

As Alfresco is mostly an Intranet or Extranet service, it can be configured to be connected
directly to the Internet. In this case, an Alfresco installation may be discovered using many
different techniques. Of the hundreds of tools available for discovery and information
gathering, we will highlight some well-known resources below:

Google and Bing: With a simple search we can find some servers that are exposed.
https://www.google.com/?q=%2220052014+Alfresco+Software+Inc.+All+rights+reserved.%22
Shodan6: This is a device search engine based on using ports and service headers or
banner.
https://www.shodan.io/search?query=%22alfresco%22+server+port%3A8080
FOCA7: This is a graphic tool (Windows) that utilizes the Google and Bing search engines
and DNS records to retrieve metadata from the documents that are available in the
target domain. It searches for usernames, software versions and server or machine
names.

Metagoofil: This is a command line tool (Linux) that utilizes the Google search engine to
retrieve metadata from the documents that are available in the target domain. It
searches for usernames, software versions and server or machine names.

6
http://www.shodanhq.com/
http://www.informatica64.com/foca.aspx
theharvester: This is a command line tool (Linux) that looks for email accounts,
usernames, hostname and subdomain by using Google, Bing, LinkedIn, Shodan and
more.

Maltego: This is an open source intelligence and forensics application. It allows you to
mine and gather information from public resources and then represent the information
in a meaningful way.

Nmap port scanning: It is used to determine the state of TCP and UDP ports for the
target host, among other network protocols.
Other manual tasks:
Banner read to a Tomcat server:
# echo -e "HEAD / HTTP/1.0\n\n" | nc 192.168.11.129 8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 2763
Date: Fri, 12 Sep 2014 22:06:59 GMT
Connection: close

Test done to Alfresco Share:
# echo -e "HEAD /share/page/ HTTP/1.0\n\n" | nc 192.168.11.129 8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Content-Length: 39170
Date: Fri, 12 Sep 2014 22:09:36 GMT
Connection: close

In addition to all the threats described above, these tools are also useful for gathering
information from files. It is well known that most content items contain information about
themselves inside their own files, their metadata. Besides the file name, photos will have
information about the camera and even geo-localization. MS Office, Open/LibreOffice or PDF
documents may store user names, network resources, email address and other useful
information for a potential intrusion test. Some of these properties are extracted automatically
by Alfresco in order to populate its own database, but the properties are still being stored in
the file itself. If Alfresco publishes these documents externally or the files are being accessed
from portals, emails, etc., then we need to add protection in order to prevent information
leaks.

Protection
Use an Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Host IDS,
Advanced Threat Protection Systems and Web Application Firewall to mitigate some of
these scans;
The Alfresco banner can be removed from the Alfresco Share login page;
Filter the access to Alfresco resources through a specific network or IP address. Refer to
the Architecture section in this document;
Clean document metadata before distributing them. Alfresco can do this for you with
an easy customization. Tools for metadata cleaning include: ExifTool, OOMetaExtractor8,
MS Office 2003 & XP9 or BatchPurifier. Demo and tools are available on the Alfresco
DevCon 2012 site10;
Remove the application server and web server versions. For example, the default
ErrorReportValve includes the Tomcat version number in the response that is sent to
clients. To avoid this, custom error handling can be configured within each web
application. Alternatively, you can explicitly configure an ErrorReportValve and set its
showServerInfo attribute to false. The version number can also be changed by creating
the file CATALINA_BASE/lib/org/apache/catalina/util/ServerInfo.properties with the
following content:

server.info=My App Server
Brute Force Username and Passwords Attacks

Passwords are one of the easiest elements that can be attacked in order to gain access to a
system. Case in point, Alfresco stores usernames and passwords, which are hashed and not
stored as plain text anywhere on the system. In most corporate environments, Alfresco is
usually connected to a user directory like LDAP or Active Directory which would be responsible
for managing passwords or controlling any kind of attack against them.
Below is an example of dictionary based cracking to a WebDAV service with the Hydra tool (a
very fast network logon cracker which support many different services):
# hydra -L usernames.txt -P passwords.txt -u -s 8080 -m 'http://127.0.0.1'
127.0.0.1 http-get

8
9
http://www.codeplex.org/oometaextractor
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54edd43e-42ca-bc7b-5446d34e5360
10
http://devcon.alfresco.com/speakers/toni-de-la-fuente
Protection
Implement a password rotation and strength policy11.

Implement error login threshold to prevent brute force or dictionary attacks, and a
count of consecutive password failures. This is on your LDAP side or third party
authentication system, and in most cases can be prevented by configuration. In some
well-known LDAP servers there is an attribute called pwdMaxFailure in order to
control this behavior. NOTE: Prevent against DOS attacks by locking all accounts.
MITM Attacks
Man in the middle attacks can be performed in many different ways depending on the
deployment architecture. For instance, having a four tier architecture with a web server or a
load balancer in front of Alfresco, Index Server and a database server. An MITM attack can be
performed between the users and webserver, the webserver and Alfresco, Alfresco and Index
Server and finally between Alfresco and the database server. The way to prevent these types of
attacks from happening is to use encrypted and authenticated communications.
Protection
A secure architecture design in layers and with protection;

Out of the box Alfresco provides encryption and authentication between Alfresco
repository and Index Server. Authentication is also provided for the users to connect to
the DB but encryption is not. In this case, it is extremely important to consider enabling
encryption at least for the end user communications;
Check your security certificate strength12 and tweak your SSL settings until you get an A
grade or above.
DOS and DDOS

If the Alfresco server is facing the Internet there is a risk of being the target of a Denial of
Service or a Distributed Denial of Service attack. A layer of protection should be added to guard
against this.
Protection
Use traditional firewall techniques to limit the attack surface for potential attackers.
Deny traffic to and from the source of the destination of the attack. Manage the list of
allowed destination servers and services. Manage the list of allowed sources of traffic,
ports, and protocols.;
Use web application firewalls to inspect web packet traffic;

11
https://howsecureismypassword.net/ and https://secure.packetizer.com/pwgen/

12
https://www.ssllabs.com/ssldb/analyze.html
Use IDS/IPS systems to prevent statistical or behavioral attacks and signature-based

algorithms to detect network attacks and Trojans;
Get control of ICMP and TCP SYN to prevent flooding;
Consider using vendor solutions like AWS, Akamai, DOS Arrest, Incapsula, etc.

Viruses
Since viruses can be found in most kinds of content, an antivirus solution must be deployed
throughout all infrastructure tiers, from client desktops to servers. Alfresco is fully compatible
with any antivirus software that executes on a server or through the communication layer. This
guarantees that no infected content is stored or accessible through the platform.
Protection
There is a third party module available for Alfresco called Alfviral13. This can be used inside the
repository to trigger an analysis of a given content. It can also be used to check virus signatures
against databases like VirusTotal or ClamAV solutions. The use of Advanced Threat Protection
Systems are also recommended.
Vulnerabilities Assessment
Public Vulnerabilities
Related to Alfresco since first version 2005:
1. SEC Consult SA-20140716-0 (MNT-11793): Multiple SSRF vulnerabilities. FIXED in all
major versions;
2. CVE-2014-2939: Summary: Multiple cross-site scripting (XSS) vulnerabilities in Alfresco
Enterprise before 4.1.6.13 allow remote attackers to inject arbitrary web script or HTML
via (1) an XHTML document, (2) a <% tag, or (3) the taskId parameter to
share/page/task-edit. Published: 6/2/2014 3:55:03 PM. CVSS Severity: 4.3 MEDIUM;
3. CVE-2014-0125: Moodle integration using the session key in the file URL allowing
anyone with the link to steal the identity of the user posting content.Summary:
repository/alfresco/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before
2.5.5, and 2.6.x before 2.6.2. Places a session key in a URL, which allows remote
attackers to bypass intended Alfresco Repository file restrictions by impersonating a
file's owner. Published: 3/24/2014 10:20:39 AM. CVS Severity: 5.8 MEDIUM;
4. Bugtraq ID 37578: Joomla Module for Alfresco 'id_pan' Parameter SQL Injection
Vulnerability in Joomla not in Alfresco.

13
https://github.com/fegorama/alfviral
Other Vulnerabilities
These were discovered due to internal periodic auditing or reported by customers and have
been FIXED prior to the publication of this guide. Includes the following Alfresco versions:
3.4.X, 4.0.X, 4.1.X and 4.2.X:
1.
2.
3.
4.
10
CVE-2014-0050: Apache Commons FileUpload and Apache Tomcat DoS;

MNT-10540: Share: Remote code execution. User has to be logged;
MNT-10539: Parsing vulnerability in Xerces (Apache POI and Alfresco code);
MNT-11793: Port scanning internal networks (proxy and cmisbrowser) .
Hardening the Network and Operating System

Even if your Alfresco configuration is as secure as possible, a non-properly configured operating
system will make your work useless. In this section, we will consider some items to be take into
account.
In some cases the better the security in an Operating System means less usability. A good rule
of thumb is to reduce privileges to the application on the operating system, if possible.
Network
In any enterprise architecture we can find different network elements. All of them must be
configured to protect the existing network resources. The following should be considered for
inclusion in the Alfresco security customization of firewalls: IDS, IPS, Antivirus, Web Application
Firewall, and DoS/DDoS protection devices.
OS Security
Use OS Vendor specific security recommendations (for all supported OS in Alfresco One 4.2.3):

Red Hat Linux 6.414
Sun Solaris 11.115
Ubuntu 12.04 LTS16
Suse 11.317
Microsoft Windows Server 201218
Microsoft Windows Server 2008 R219

At the OS level, permissions for access to Alfresco are the most important components that
must be applied. This is in order to allow them to only be accessible to the user who is running
Alfresco. Change file permissions to allow only the application user to see and write these files
and/or directories (i.e. Linux: chmod 0600 <path-to-file>): alfresco-global.properties
dir_root/contentstore

14
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/index.html
15
http://docs.oracle.com/cd/E23824_01/html/819-3195/index.html
16
https://help.ubuntu.com/12.04/serverguide/security.html
17
https://www.suse.com/documentation/sles11/singlehtml/book_security/book_security.html
18
http://technet.microsoft.com/en-us/library/jj898542.aspx
http://technet.microsoft.com/en-us/library/gg236605.aspx
19

11
dir_root/solr or dir_root/lucene-indexes
Configuring Your Firewall

Your operating system firewall is a powerful line of defense for your server. Do not run Alfresco
without it. When configuring the firewall, you can use the same rule of thumb as for all OS
settings, block everything and then add privileges one at a time until you have allowed the
minimum amount of access required for your scenario.
When determining what traffic will be allowed, be sure to consider both inbound and outbound
activity. There is no reason to allow outbound activity via interfaces that you do not need.
These could potentially be exploited by malicious applications. For example, outbound HTTP
requests are often used by malware programs to communicate with operators.
Inbound Ports
Port listed below can be considered for both server and network firewall.
Protocol/Service
Port
TCP/UDP IN/OUT Active Comments
HTTP
8080
TCP
IN
Yes
WebDAV included
FTP
21
TCP
IN
Yes
Passive mode
SMTP
25
TCP
IN
No
CIFS
137,138 UDP
IN
Yes
CIFS
139,445 TCP
IN
Yes
IMAP
143
993
or TCP
IN
No
SharePoint Protocol
7070
TCP
IN
Yes
Tomcat Admin
8005
TCP
IN
Yes
Unless is necessary, do not open this port at the

firewall
Tomcat AJP
8009
TCP
IN
Yes
Unless is necessary, do not open this port at the

firewall
SOLR Admin
8443
TCP
IN
Yes
If used to admin Solr, cert has to be installed in

browser. Otherwise take it in to account in case
of using a dedicated Index Server. Alfresco
repository server must have access to this port
IN and OUT
NFS
111,2049 TCP/UDP IN
No
This is the repository service NFS as VFS
RMI
50500-
50507
TCP
IN
Yes
Used for JMX management. Unless is necessary,

do not open this port at the firewall
Hazelcast
5701
TCP
IN
No
Used by Hazelcast to exchange information

between cluster nodes from 4.2
JGroups
7800
TCP
IN
No
Cluster discovery between nodes before 4.2
JGroups
7801-
7802
TCP
IN
No
Traffic Ehcache RMI between cluster nodes

before 4.2.
12
OpenOffice/JODconverter 8100
TCP
IN
Yes
It works in localhost, do not open it at the

firewall
Outbound ports
It is just as important to control all outbound traffic as it is to control inbound traffic. This will
prevent some intrusions by not allowing access to backdoors or malicious remote sites.
Here is a list of all outbound traffic you may consider opening, depending on your security
policy and Alfresco deployment:
Protocol/Service
Port
TCP/UDP IN/OUT Active Comments
SMTP
25
TCP
OUT
No
If you want Alfresco to send notifications,

invitations, tasks, etc. the open this port from
Alfresco to your corporate MTA.
DB PostgreSQL
5432
TCP
OUT
Yes*
It depends on the DB.
DB MySQL
3306
TCP
OUT
Yes*
DB MS SQL Server
1433
TCP
OUT
Yes*
DB Oracle
1521
TCP
OUT
Yes*
DB DB2
50000
TCP
OUT
Yes*
LDAP or AD
396
TCP
OUT
No
If needed for authentication and synchronization.
LDAPS or AD
636
TCP
OUT
No
If needed for authentication and synchronization.
docs.google.com
443
TCP
OUT
No
JGroups
7800-
7802
TCP
OUT
No
If clustered before 4.2, only between nodes.
Hazelcast
5701
TCP
IN
No
Used by hazelcast to exchange information

between cluster nodes from 4.2, only between
nodes.
Remote storage NFS
111,2049 TCP/UDP OUT
No
If a remote NFS drive is used as the content store.
Remote storage CIFS
137,138 UDP
OUT
No
If a remote CIFS drive is used as the content store.
139,145 TCP
Amazon S3
443
TCP
OUT
No
In case Alfresco is deployed in AWS and Amazon S3

is used as the content store
Alfresco Transformation
Server
80,443 or TCP
8080,844
3
OUT
No
In case a remote Alfresco Transformation Server is

used
Alfresco FSTR
8080
TCP
OUT
No
In case of using a remote Alfresco File System

Transfer Receiver
Alfresco Remote Server
8080 or TCP
8443
OUT
No
In case of using Alfresco Replication Service

between Alfresco servers

13
Kerberos
88
TCP/UDP OUT
No
In case Kerberos SSO is required
Third Party SSO
443
TCP
OUT
No
Third party SSO services
DNS
53
UDP
OUT
Yes
Name resolution service
Facebook, Twitter,
80 or 443 TCP
LinkedIn, Slideshare,
Youtube, Flickr, Wordpress
or Typepad
OUT
No
In case of using Alfresco Publishing Framework or

Site blog publishing
Port Redirect
When Alfresco is not running as root, a local port redirect must be performed in order to
forward all incoming traffic from the standard port to the non-standard port and be above
1024.
Here is an example of local port redirect for iptables and FTP port configured in Alfresco to
listen in port 2121 TCP:
iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDIRECT --to-ports 2121
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED
-j ACCEPT
Determining Minimum Privileges

The user you create to run Alfresco should be allowed only the minimum privileges required to
run the application server as required by your scenario. From a security standpoint, the ideal
user will only have permission to write logs and read files, period.
However, many users may find it necessary or convenient to allow the modification of start-up
scripts and configuration files, or the deployment of new versions for patches or
hotfixes. Whatever configuration you use, simply make sure that you are aware of the
associated risks.

14
Alfresco Implementation Best Practices

Stay Current
Alfresco is a product in continuous evolution. Our customers and the community are improving
the software by recommending new features, finding bugs and suggesting solutions. The
easiest way to improve the security of your Alfresco platform is to keep your version up to
date. New bug fixes and security patches are added in every release. Alfresco also notifies the
Enterprise user and community members of major security threats and patches via the Support
Portal, email and forums. Always upgrade to the latest stable version of Alfresco, as soon as
possible, and read the Release Notes to be aware of the fixed security bugs.
Don Not Run the Application Server as Root

As it has been stated above, when running any Internet or intranet service, it is always a good
idea to avoid running it as the root user, if possible. When installing the application server,
create a new user with a minimum set of privileges that will always run the application server
for you, as part of your configuration process.

Note that restricting privileges in this fashion can introduce problems with listening to
privileged ports. These are commonly solved in Linux by using the iptables tool to redirect
ports to non-privileged ones. See more in the next section.
Repository Level Security

Enable SSL
In production environments, enabling encryption is a must. In this section we will see how to
enable encryption in the most used Alfresco interfaces.
HTTP HTTPS
There are different methods to implement SSL for the HTTP access to Alfresco Repository
(WebDAV, API and Admin Panel) and Alfresco Share. In most cases all methods are valid for
both Alfresco repository and Share web access.

We may classify three different methods depending on the Alfresco work load. All of the
methods may work for any sizing depending on the system tuning. This is just a best practice
for where to locate the SSL end point to avoid SSL CPU consumption that may affect the
Alfresco performance.

1. Low or reduced load, 10-100 concurrent sessions;

15
a. Application server enabled SSL: depending on the application server vendor, this
can be configured in different ways and it is extensively documented. Here is a
list of resources to enable SSL in all our supported application servers:
i. Apache Tomcat20
ii. JBOSS21
iii. Weblogic22
iv. Websphere23

2. Medium load, 100-500 concurrent sessions;
a. Apache, IIS or Nginx enabled SSL in a frontend-dedicated server.

3. High load, +500 concurrent sessions;
a. SSL dedicated hardware appliance or other third party solutions.

Additionally, if Alfresco Share is in a separate layer than the Alfresco Repository, you may want
to encrypt any traffic thats in between both of them. Once HTTPS is enabled in both
application servers then just change the Alfresco Share configuration URLs to connect the
Alfresco Repository in ${extensionRoot}/alfresco/web-extension/share-config-custom.xml and
adapt all <endpoint-url> to your repository HTTPS URL.

NOTE: in any case always enable HSTS (HTTP Strict Transport Security) to guarantee HTTPS
always.
SharePoint Protocol
There are two ways to approach getting the Alfresco SharePoint Protocol to run over SSL and
avoid having to modify the Windows registry24 to allow non-SSL connections from MS Office (in
both Windows and Mac).

One way is to use the out of the box SSL certificate that Alfresco uses for
communications between itself and Solr, which is not recommended for production
systems;

20
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
21
https://access.redhat.com/documentation/en-
US/JBoss_Enterprise_Application_Platform/6/html/Administration_and_Configuration_Guide/Implement_SSL_Encryption_for_the_JBoss_Ente
rprise_Application_Platform_Web_Server1.html
22
http://docs.oracle.com/cd/E24329_01/web.1211/e24422/ssl.htm
23
http://www.ibm.com/developerworks/websphere/techjournal/1210_lansche/1210_lansche.html
24
http://support.microsoft.com/kb/2123563
16
The other is to generate a new certificate25 and configure Alfresco to use it. If you want
to use a custom certificate, this is the option to use. Next steps tested on Alfresco 4.2
and it should work in 4.2 as well for both Enterprise and Community.

There are instructions on how to enable SSL in the Alfresco SharePoint interface on the official
documentation portal26.

IMAP IMAPS
To enable SSL to the IMAP protocol implemented by Alfresco to get access to the repository
from an email client follow the official documentation instructions27 or configuring the IMAP
subsystem in the Enterprise Admin Panel.
SMTP Inbound with TLS

Alfresco supports secure connections when it has SMTP inbound enabled. It can be set by
customizing the email subsystem28 through alfresco-global.properties with the option
email.server.enableTLS=true and configuring the Java keystore29 or in the Enterprise Admin
Console.

25
http://docs.alfresco.com/4.2/tasks/SharePoint-HTTPS-setup.html
26
http://docs.alfresco.com/4.2/tasks/SharePoint-SSL.html
27
http://docs.alfresco.com/4.2/concepts/IMAP-subsystem-props.html
28
http://docs.alfresco.com/4.2/concepts/email-inboundsmtp-props.html
29
http://docs.alfresco.com/4.2/concepts/troubleshoot-inboundemail.html

17
SMTP Outbound with TLS

SSL-TLS configuration for external emails sent by Alfresco to users for notifications, invitations,
etc., depends on the remote server features, and it has to support secure connections.
Configuration examples may be found on the official documentation portal30 and in the
Enterprise Admin Panel as well.

30
http://docs.alfresco.com/4.2/concepts/email-outboundsmtp-props.html
18
FTP FTPS
The FTP interface implemented by Alfresco can also be configured in secure mode to encrypt
the communication between client and server. It has to be configured by the alfresco-
global.properties file by following instructions in the official documentation31.
Connect to LDAP in Secure Mode with LDAPS
In order to enable SSL communication between the Alfresco repository and an LDAP server, it
has to be supported by the remote directory server. For SSL it is required that you switch the
port from 389 to 636.

NOTE: Ask your LDAP or Active Directory administrator before changing any Alfresco
configurations.
Hazelcast
This is not usually required in SSL but messages communication between cluster nodes may be
encrypted32.
Understanding Roles and Permissions

It is well known that Alfresco comes with a complex and very flexible permissions model.
Alfresco uses roles to determine what a user can and cannot do within a site and the content.

31
http://docs.alfresco.com/4.2/concepts/fileserv-ftp-props.html
32
http://hazelcast.org/docs/latest/manual/html/ssl.html#encryption

19
Each role is associated with permissions. Permissions apply to dashboards33 and to content34.
By default, permissions applied to a node in the repository inherits it if it is not deactivated.
Custom Roles
Creating a new role may be a common task when we are working with custom Alfresco
deployments. The process is easy, you just need to follow some steps35. Just bear in mind, the
most important file where default roles are defined is located in:
TOMCAT_HOME/webapps/alfresco/WEB_INF/classes/alfresco/model/permissionDefinitions.
xml
Audit
The Audit Service provides a configurable record of actions and events. It collects information
and stores it in a simple database form. The Audit Service includes the ability to audit system
and user events, metadata changes and data stored in the Alfresco database. In order to have
the Audit feature enabled in Alfresco you need to add the following values in the alfresco-
global.properties36 file::

audit.enabled=true
audit.sync.enabled=true
audit.tagging.enabled=true
audit.alfresco-access.enabled=true
audit.alfresco-access.sub-actions.enabled=true
audit.cmischangelog.enabled=true
NOTE: If Alfresco Cloud Sync is used, audit.enable and audit.sync.enabled must be true.
Any information related to auditory is in the Alfresco database, it has to be queried through the
API.
To check if the Audit feature is enabled in Alfresco and what is being audited:
#curl -u admin:admin http://localhost:8080/alfresco/service/api/audit/control
{
"enabled" : true,
"applications":
[
{
"name": "Alfresco Sync Service",
"path" : "/sync",
"enabled" : true
}

33
http://docs.alfresco.com/4.2/references/permissions_share_other.html
34
http://docs.alfresco.com/4.2/references/permissions_share_components.html
35
https://wiki.alfresco.com/wiki/Custom_Permissions_in_Share
36
http://docs.alfresco.com/4.2/tasks/audit-enable.html
20
,
{
"name": "Alfresco Tagging Service",
"path" : "/tagging",
"enabled" : true
}
,
{
"name": "RM",
"path" : "/RM",
"enabled" : true
}
]
}
Audit authentication has to be enabled by renaming the file

${extensionRoot}/alfresco/extension/audit/alfresco-audit-example-login.xml.sample to
${extensionRoot}/alfresco/extension/audit/alfresco-audit-example-login.xml then restart and
test the last authentications to Alfresco with a command like below:
# curl -u admin:admin
"http://localhost:8080/alfresco/service/api/audit/query/AuditExampleLogin1"
or to see how many failed authentications performed by the admin user:

# curl -u admin:admin
"http://localhost:8080/alfresco/service/api/audit/query/AuditExampleLogin1?ve
rbose=true&user=admin"
More queries and information about auditing Alfresco can be found in the official
documentation37.
Get to Know Logged Users
Thanks to the Alfresco Support Tools38 module, available for the Enterprise Admin console, an
administrator can always check who is logged in the system.

37
http://docs.alfresco.com/4.2/concepts/audit-intro.html
38
https://addons.alfresco.com/addons/support-tools-admin-console

21
Reset Admin Password

If the admin password is missed there is a way to reset it to admin by changing the database.
First of all, it is needed to search the admin password field:
SELECT anp1.node_id, anp1.qname_id, anp1.string_value
FROM alf_node_properties anp1
INNER JOIN alf_qname aq1 ON aq1.id = anp1.qname_id
INNER JOIN alf_node_properties anp2 ON anp2.node_id = anp1.node_id
INNER JOIN alf_qname aq2 ON aq2.id = anp2.qname_id
WHERE aq1.local_name = 'password'
AND aq2.local_name = 'username'
AND anp2.string_value = 'admin';
+---------+----------+----------------------------------+
| node_id | qname_id | string_value
|
+---------+----------+----------------------------------+
|
4 |
10 | 209c6174da490caeb422f3fa5a7ae634 |
+---------+----------+----------------------------------+
1 row in set (0.16 sec)

Note: node_id and gname_id for later modification. Additionally,
209c6174da490caeb422f3fa5a7ae634 is the MD4 hash value for admin. Now it can be set
as follows:
UPDATE alf_node_properties
SET string_value='209c6174da490caeb422f3fa5a7ae634'
WHERE
node_id=THE_NODE_ID_ABOVE and qname_id=THE_QNAME_VALUE_ABOVE;
Ticket Session Duration Control

In case of third a party application connection, you may need a ticket. This ticket can be
queried by accessing http://localhost:8080/alfresco/service/api/login?u=admin&pw=admin
The length or duration of this authentication ticket can be configured with:
authentication.ticket.validDuration=PT1H
in the alfresco-global.properties file, which means 1 hour. Remember to use HTTPS to get the
ticket.
22
Disable Unneeded Services

All of these options can be added to the alfresco-global.properties file. Unless the Alfresco
Enterprise Admin Console is used to make the changes, a restart is required:

Enable/Disable FTP:
ftp.enabled=false
Enable/Disable CIFS:
cifs.enabled=false
Enable/Disable IMAP:
imap.server.enabled=false
Enable/Disable NFS:
nfs.enabled=false
Enable/Disable Audit (do not disable it if Cloud Sync is used):

audit.enabled=true
Enable the alfresco-access audit application:

audit.alfresco-access.enabled=true
audit.alfresco-access.sub-events.enabled=true
audit.cmischangelog.enabled=true
Disable Webdav:
system.webdav.servlet.enabled=true
Disable Share Point:

Uninstall VTI module.
Prevent replication from the server configuration:
replication.enabled=false
transferservice.receiver.enabled=false
Disable Guest User
For NTLM-Default (default is true):

alfresco.authentication.allowGuestLogin=false
For pass-through (default is false):

passthru.authentication.guestAccess=false
For LDAP/AD (default is true):

ldap.authentication.allowGuestLogin=false
Review Sever Logs Periodically

The administrator always keeps an eye on the server logs along with the application logs.
Consider using a central logging sever to easily manage logs and unload the server I/O.

23
Change JMX Default Credentials

As you already know, Alfresco One can be accessed using JMX for configuration (port RMI
50500 TCP), this access is authenticated but credentials are public and must be changed in
order to avoid unauthorized accesses39.
Get Control of Deleted Content

In terms of security control, it is imperative to know how Alfresco works when a content item is
deleted and also how the content deletion works in Records Management (RM). Basic content
deletion is already very well explained in a Ixxus blog post40 but there are some differences in
the database schema between Alfresco 4.1 and 4.2 worth noting, such as the alf_node table
has a field named node_deleted in versions 4.0 and earlier.

To develop a deep knowledge about Alfresco security and also how to configure Alfresco
backup and disaster recovery41, you should first understand how the Alfresco repository
manages the lifecycle of a content item.
Node Creation
When a node is created, regardless how it is uploaded or created (via the API, web UI, FTP, CIFS,
etc.) Alfresco will do the following:

1. Metadata properties are stored in the database in the logical store
workspace://SpacesStore (alf_node, alf_content_url among others).
2. The file itself is store and renamed as .bin under
alf_data/contentstore/YYYY/MM/DD/hh/mm/url-id-of-the-file.bin
3. Next, depending on the indexing you choose, its index entries are created within Lucene
(alf_data/lucene-indexes/workspace/SpacesStore) or Solr
(alf_data/solr/workspace/SpacesStore).
4. Finally, in most cases, a content thumbnail is created as a child of the file created.
Node Deletion
There are two phases to node deletion:
Phase 1: A user or admin deletes a content item (sending it to the trashcan)
1. When someone deletes a content item, the content and its children (eg. thumbnails) are
moved (archived) in the DB from workspace://SpacesStore to archive://SpacesStore.
Nothing else happens in the DB.

39
http://docs.alfresco.com/4.2/tasks/jmx-access.html
40
http://www.ixxus.com/blog/2011/09/alfresco-node-lifecycle
41
http://blyx.com/2013/12/04/my-talk-about-alfresco-backup-and-recovery-tool-in-the-alfresco-summit/
24
2. The actual content .bin file remains in the same location inside the contentstore
directory.
3. Finally, the indexes are moved from the existing location to the corresponding archive
(alf_data/lucene-indexes/archive/SpacesStore) or Solr
(alf_data/solr/archive/SpacesStore) depending on your index engine selection.

NOTE: A deleted node stays in the trashcan FOREVER, unless the user or admin either empties
the trashcan or recovers the file. This default behavior can be changed by using third party
modules that empty the trashcan automatically on a custom schedule. See below for more
information on these modules.

The trashcan may be found at these locations:

Alfresco Share: User -> My Profile -> Trashcan (admin user will see all users deleted files, since
4.2 all users can also see and restore their own deleted files).
Alfresco Explorer: User Profile -> Manage Deleted Items (for all users).
Phase 2: Any user or admin (or trashcan cleaner) empties the trashcan:
1. That means the content is marked as an orphan and after a pre-determined amount
of time elapses, the orphaned content item is moved from the alf_data/contentstore
directory to alf_data/contentstore.deleted directory.
2. Internally at the DB level a timestamp (UNIX format) is added to the
alf_content_url.orphan_time field where an internal process called
contentStoreCleanerJobDetail will check how long the content has been orphaned. If it
is more than 14 days old, (system.content.orphanProtectDays option) the .bin file is
moved to contentstore.deleted.
3. Finally, another process will purge all of its references in the database by running
nodeServiceCleanupJobDetail and once the index knows the node has been removed,
the indexes will be purged as well.

NOTE: Alfresco will never delete content in the alf_data/contentstore.deleted folder. It has to
be deleted manually or by a scheduled job configured by the system administrator. By default,
the contentStoreCleanerJobDetail runs every day at 4AM by checking the age of an orphan
node. If it exceeds system.content.orphanProtectDays (14 days) it is moved to
contentstore.deleted.

Additionally, the nodeServiceCleanupJobDetail runs every day at 9PM and purges information
related to nodes that were deleted from the database.

Now, that we understand how Alfresco works by default, lets learn how to modify Alfrescos
behavior in order to clean the trashcan automatically.

25
There are several third party modules that can be used to achieve this, but I recommend the
Alfresco Trashcan Cleaner42 by Alfrescos very own Rui Fernandes.
Once the amp is installed, you can use this sample configuration by copying it to the alfresco-
global.properties file:

trashcan.cron=0 30 * * * ?
trashcan.daysToKeep=7
trashcan.deleteBatchCount=1000
The options above configure the cleaner to run every hour on the half hour and it will remove
content from the trashcan and mark it as an orphan if it has been in the trashcan for more than
7 days. It will do this in batches of 1000 deletions every time it runs. To delete from the
trashcan without waiting any grace period set the trashcan.daysToKeep property value to -1.
Questions and Answers About Content Deletion

Can I configure Alfresco to avoid using contentstore.deleted and ensure it really deletes a file
after the trashcan is cleaned?
Yes, this is possible by setting system.content.eagerOrphanCleanup=true in the alfresco-
global.properties file, and once the trashcan is emptied, the file will not be moved to
contentstore.deleted but it will be deleted from the file system (contentstore). After that,
nodeServiceCleanupJobDetail will purge any related information from the database.

What is the recommended configuration for a production server?
This is something you have to figure out based on your backup and disaster recovery strategy43.
If you have a proper backup strategy, you can offer your users a grace period of 30 days to
recover their own deleted documents from the trashcan. After the grace period, delete them
simultaneously from the trashcan and the file system. This can be achieved by installing the
previously mentioned trashcan-cleaner and with this configuration in the alfresco-
global.properties file:

system.content.eagerOrphanCleanup=false
trashcan.cron=0 30 * * * ?
trashcan.daysToKeep=30
trashcan.deleteBatchCount=1000

What about Alfresco Records Management, does it work in the same way? How a record
destruction works?
In the Records Management world you dont tend to delete documents as often as it is done in
Document Management. When a content item is deleted from the RM file plan, it is considered

42
https://code.google.com/p/alfresco-trashcan-cleaner/
43
http://blyx.com/2013/12/04/my-talk-about-alfresco-backup-and-recovery-tool-in-the-alfresco-summit/.
26
to be a regular delete operation. This is rarely used and only done by RM admins when there is
some justifiable reason, such as correcting a mistake that requires a record to be removed.
The only difference is that the deleted record bypasses the archive store, hence it never goes to
the trashcan, and it is marked as an orphan once it is deleted. Then it will be moved to
contentstore.deleted after orphanProtectDays or it is truly deleted if eagerOrphanCleanup is set
as true.

Destruction of a record works in the same way that a record is removed. This will by-pass the
archive and immediately trigger the clean-up (eagerOrphanCleanup) process so the content
does not stay in the file system contentstore or contentstore.deleted.

As far as the meta-data goes, there are two options; the first is that all the meta-data (and
hence the node itself) are completely deleted. The alternate method cleans out all the content
but the node remains with only the meta-data (called ghosting). In Alfresco RM versions prior
to 2.2, this was a global configuration value (rm.ghosting.enabled=true). In 2.2 it can be
defined on the destroy step of the disposition schedule: Maintain record metadata after
destroy.

27
Figure 1: Content deletion diagram
Wipe Content
As we have seen, Alfresco offers different ways to delete content. It is important to remember,
even if Alfresco completely deletes content, like when using the destroy option in RM or by
using eagerOrphanCleanup, Alfresco will not wipe the removed content from the physical
storage. It therefore can be recovered by file system recovery tools. Wiping a deleted content
item may vary depending on multiple factors, from file system type to hardware configuration,
etc. If you want to guarantee a real physical wipe of a file in your file system, third party
software must be used to zero out the corresponding disk sectors. The specific tools depend
on the operating system type, hardware, etc.
Share Level Security

Cross-Site Request Forgery (CSRF) Filters in Alfresco Share
Based on the OWASP project definition, Cross-Site Request Forgery (CSRF) is a type of attack
that occurs when a malicious web site, email, blog, instant message, or program causes a users
web browser to perform an unwanted action on a trusted site for which the user is currently
authenticated.
28

You can configure CSRFPolicy in Alfresco Share to prevent CSRF attacks that allow malicious
requests to be unknowingly loaded by a user.

You can configure the CSRF filter to run with third party plugins and to stop specific repository
services from being accessible directly through the Share proxy.

See official documentation for apply the prevention procedure44.
Security Filters and Clickjacking Mitigation in Alfresco Share

As per OWASP definition, clickjacking, also known as a "UI redress attack", is when an attacker
uses multiple transparent or opaque layers to trick a user into clicking on a button or link on
another page when they were intending to click on the top level page. Thus, the attacker is
"hijacking" clicks meant for their page and routing them to another page, most likely owned by
another application, domain, or both.

You can configure a security filter, SecurityHeadersPolicy that mitigates clickjacking attacks in
Alfresco Share.

Iframes and Phishing Attack Mitigation in Alfresco Share

You can configure IFramePolicy to protect users against a phishing attack, which attempts to
acquire information such as user names or passwords by simulating a trustworthy entity.

Alfresco allows you to control which domain pages or content are included in Share to create a
whitelist of allowed domains. A whitelist is a list of email addresses or IP addresses that are
considered to be safe for use within your organization.

Share HTML Processing Black/White List

Alfresco Share has a number of features to protect against XSS attacks. One of the
most aggressive features is the automatic processing of 3rd party HTML (wiki, blog, forum) to
sanitize or strip out unwanted HTML tags and attributes before rendering in the page.

44
http://docs.alfresco.com/4.2/concepts/csfr-policy.html
45
http://docs.alfresco.com/4.2/concepts/security-policy.html
46
http://docs.alfresco.com/4.2/concepts/iframe-policy.html

29
Since Alfresco 3.4.9, 4.0.2 and newer, it is possible to fully configure the black/white list of
HTML tags and attributes that the HTML stripping process will use. The default black/white list
Is available in {TOMCAT_HOME}/webapps/share/WEB-INF/classes/alfresco/slingshot-
application-context.xml. It can be overridden with a file called custom-slingshot-application-
context.xml, which is generally found in {TOMCAT_HOME}/shared/classes/alfresco/web-
extension. More information is available in the Alfresco corporate blog47.
Site Creation Control

In some circumstances, you may need to prevent users other than administrators or specific
group members, from creating sites. There are different ways to accomplish this using public
resources48.
Filter Document Actions by User or Role

You may restrict the visibility of document action item for different Share site/user role by
modifying:
{TOMCAT_HOME}/webapps/share/WEB-INF/classes/alfresco/site-
webscripts/org/alfresco/components/document-details/document-
actions.get.config.xml
{TOMCAT_HOME}/shared/classes/alfresco/web-extension/site-
webscripts/org/alfresco/components/document-details/document-
actions.get.config.xml

For example, to set document action Delete visible to admin user only, you need to modify
the action you want to hide from anyone but the admin, by adding 'permission="admin"'. For
example, modify in document-actions.get.config.xml file from:

<action type="action-link" id="onActionDelete" permission="delete"
label="actions.document.delete" />
to:

<action type="action-link" id="onActionDelete" permission="admin"
label="actions.document.delete" />

Additionally, you may use the tables below as reference when there is a requirement for
customize document action per site role. For example, add, remove, or hide visibility of certain
document action(s) for certain site role(s) in permission="<symbol>".

Site role-based Visibility

47
http://blogs.alfresco.com/wp/kevinr/2012/06/19/configuring-the-share-html-processing-blackwhite-list/
48
https://forums.alfresco.com/forum/end-user-discussions/alfresco-share/disable-create-site-link-42-community-01102013-1306
30
Symbol Site Role

#
Admin/Site Manager
Collaborator
Contributor/Consumer

<actionSet id="document">: Default OOTB permission level for Document Action components.
Information is extracted from Enterprise 3.4.6, File: {TOMCAT_HOME}/webapps/share/WEB-
INF/classes/alfresco/site-webscripts/org/alfresco/components/document-details/document-
actions.get.config.xml:
Action Name
Action id
Permission
Corresponding label name
Visible
to
Download
id="onActionDownload"
<global, no specific
permission required>
label="actions.document.d
ownload"
%;*;#
View in Browser
id="onActionView"
label="actions.document.v
iew"
%;*;#
Edit Metadata
id="onActionDetails"
permission="edit"
label="actions.document.e
dit-metadata"
*;#
id="onActionSimpleAppr
ove"
permission="simple-
approve"
label="actions.document.si
mple-approve"
n/a
id="onActionSimpleReje
ct"
permission="simple-
reject"
label="actions.document.si
mple-reject"
n/a
permission="edit"
label="actions.document.u
pload-new-version"
*;#
Upload
Version
New id="onActionUploadNew
Version"
Inline Edit
id="onActionInlineEdit"
permission="edit,inline-
edit"
label="actions.document.i
nline-edit"
*;#
Edit Online
id="onActionEditOnline"
permission="edit,online
-edit"
dit-online"
*;#
Edit Offline
id="onActionEditOffline"
permission="edit,~goog
ledocs-edit"
dit-offline"
*;#
id="onActionCheckoutT
oGoogleDocs"
permission="edit,googl
edocs-edit"
label="actions.document.c
heckout-google"
*;#
Copy to
id="onActionCopyTo"
<global,
label="actions.document.c
%;*;#
no
specific

31
opy-to"
Move to
id="onActionMoveTo"
permission="delete"
label="actions.document.
move-to"
Delete
Document
id="onActionDelete"
permission="delete"
label="actions.document.d
elete"
Start Workflow
id="onActionAssignWork
flow"
label="actions.document.a
ssign-workflow"
%;*;#
Manage
Permission
id="onActionManagePer
missions"
permission="permission
s"
manage-permissions"
Manage Aspect
id="onActionManageAsp
ects"
permission="edit"
manage-aspects"
*;#
Filter workflow by role/group

Alfresco Share doesnt have the ability to filter or control the list of workflows showed to an
user or group, by default all available workflows are shown to any user. There is different ways
to get this done, based on filters in share-config-custom.xml and also third party developments
to control workflow list49.
Change default Share session timeout

It may be needed to reduce or increase the default session timeout for Alfresco Share user
cookies which is 60 minutes. Edit {TOMCAT_HOME}/webapps/share/WEB-INF/web.xml and
change next lines, a restart is needed:
<session-config>
<session-timeout>60</session-timeout>
</session-config>

49
https://addons.alfresco.com/addons/workflow-permissions
32
Architecture deployment best practices

Sample architecture diagrams and protection tips for Alfresco installed on-premises and in
AWS.
Frontends
In this section we will see a tip about how to protect some resources in Alfresco using custom
frontend server like Apache, Nginx or HAProxy.

Good practice is to protect always front Share and Alfresco with a web server
(Apache/Nginx/HAProxy), and run the application server to only be accessed by the web server.
If this is all on one node, then have the application server only listen on localhost then the web
server forward to localhost. If this is on a multi-tiered environment then only allow access to
the Share and Alfresco tier from the web node tier via iptables.

In order to force all Alfresco cookies to be secure instead of httponly use a web server to
rewrite the cookies. Example of HAProxy configuration to do it:
# Set all cookies to be Secure.
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if !secured_cookie
Protect Alfresco API URL and proxy (Apache, Nginx, etc.)

Webscript URLs should be accessed only by localhost applications (Alfresco Explorer and Share)
and known third party applications. To deny access from all other networks (to Alfresco tier
data Webscripts, you can do the same for Share if needed), you need to set a frontend web
server as follows:

Apache:
<Location /alfresco/service/*>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>
<Location /share/service/*>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>
<Location /alfresco/proxy>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>

33
<Location /alfresco/cmisbrowser>
Order allow,deny
Allow from 1.2.3.4
Allow from 1.2.3.5
</Location>
Nginx:
location ~ ^/(alfresco|share)/service/ {
allow 1.2.3.4;
allow 1.2.3.5;
deny all;
}
location ~ ^/alfresco/proxy {
allow 1.2.3.4;
allow 1.2.3.5;
deny all;
}
location ~ ^/alfresco/cmisbrowser {
allow 1.2.3.4;
allow 1.2.3.5;
deny all;
}
Where 1.2.3.4 and 1.2.3.5 are our applications or networks.
Single tier
Alfresco installed all in one server and using external database and storage for content store,
use always dedicated network interfaces, i.e. 3 nics being service, backend and administration
and backup:
34
Two tiers

35
Three tiers

Another real world diagram with details:

36
AWS deployments
Example of multi tier deployment and different layers of security:

37
Backup and Disaster recovery

Please refer to the existing Backup and Disaster Recovery White Paper presented in the
Alfresco Summit 201350.

50
https://summit.alfresco.com/cmis/views/workspace%253A%252F%252FSpacesStore%252F2a6f08b9-e026-4674-b81a-cac234491d9f
38
Mobile Security
File Protection
Encrypts files stored on this device when it is locked. Has to be enabled in the mobile
application settings. It is only available in Alfresco Mobile if it is connected to an Alfresco One
server or Alfresco in the Cloud.
HTTPS
Enable HTTPS connection if available on the server side. Alfresco in the Cloud has HTTPS
support by default.
Certificate Authentication
Enable certificate authentication from the mobile client side is available.
MDM
At the moment this guide is written, there is one solution to implement MDM with Alfresco:
Alfresco for Good (iOS)

Alfresco for Good mobile app provides a secure connection, secure storage and policy
enforcement when accessing business critical documents stored in Alfresco One on premise
from anywhere. Alfresco for Good 1.0 includes the following features:
Secure access to on premise Alfresco repository based on existing user privileges
Full access to repository structure including collaboration sites
Easy favoring and joining of sites
Activity feed for repository
File exchange via Good For Enterprise
Local storage of files for offline viewing
NOTE: Existing version is only compatible with iOS 7.
MobileIron (Android)
Alfresco and MobileIron provide an end to end secure solution to access critical content stored
on premise, in the cloud or both as well as run key workflows to make things happen on the go.
Alfresco is an enterprise grade solution that can reliably mobilize hundreds to millions of
documents. Alfresco is open, so you can retain control and customizable so you can build the
solutions you need.
Secure access to Alfresco One repository based on existing user privileges
Full access to repository structure including collaboration sites
Activity feed

39
File exchange within the MobileIron ecosystem

Local sync of files for offline viewing of up to date files
Initiate or take part in workflows such as Review and Approve
NOTE: Alfresco is working for a new MobileIron app for Android and iOS. Not release date at
this moment.
Additional information
For enterprise Android users, Alfresco Mobile 1.4 is available in the Samsung KNOX store.
Working with other MDM vendors like Symantec Sealed (Android) and Citrix Worx.
40
Security Compliance and Standards

A very common question about Alfresco and security is related to standards. In this section we
will see a review about some standards related to security and how Alfresco can address with
them. For more information about other standards and security in Alfresco Cloud please visit
this51 site.
DOD5015.2
Alfresco Records Management is certified to the DoD 5015.02 base line standard, the Alfresco
RM solutions has been implemented on top of a flexible records management metadata model,
allowing other standards (such as MoReq2010, NOARK, etc.) to be supported.52
From the security stand point; Alfresco RM has additional security features like:
Specific roles related to RM tasks
Web based role manager to view, modify or delete existing roles and create new ones
Web based audit tool to make reports about any action on any record, folder, category
in the File Plan
Users, groups and roles reports
Different behavior for record deletion and record destroy than deletion in DM. See
section about deletion in this document.
OWASP
In Alfresco we use the OWASP guides extensively in development and have a tool, which scans
all code nightly and ensures compliance with OWASP top ten. Here a list of comments about
the OWASP top 1053:
1. A1 - Injection: Alfresco uses prepared non-dynamic statements and variable binding
using the ORM framework 'myBatis', which prevents SQL injection. Alfresco Share uses a
white-list to strip potential danger from submitted content with mime-types of
Javascript or HTML. Note: For HTML content submission, unsafe content is stripped on
display, not storage. Summary: OOTB Alfresco is secured against injection attacks
2. A2 - Broken Authentication and Session Management: This is normally an issue in
home-grown authentication frameworks, but all Alfresco custom development and
configuration passes through its own authentication framework which is based on the
Spring Security (Acegi) framework. Summary: OOTB Alfresco has a robust
authentication and session management subsystem, however there may be weaknesses

51
http://www.alfresco.com/products/cloud/security-data-privacy
52
http://blogs.alfresco.com/wp/understanding-the-facts-dod-5015-certification
53
https://www.owasp.org/index.php/Top_10_2013-Top_10

41
3.
4.
5.
6.
7.
8.
9.
if the following processes are not followed: 1) Only use SSL encryption for all access; 2)
Integrate with LDAP memberships services (or if using Alfresco native user
management: Enable an additional Alfresco customisation for password-expiry and
complexity requirements); 3) Potential to permanently disable 'invite external user'
capabilities.
A3-Cross-Site Scripting (XSS): See 'Configuring the Share HTML processing black/white
list'54. Summary: OOTB Alfresco is secured against XSS attacks. Pre go-live checks must
ensure that configuration changes have not disabled this security feature. Check
vulnerability list in this document and new XSS threats.
A4-Insecure Direct Object References: Content-object access is only allowed through
the Alfresco API which ACL checks all content-based requests against the current
authenticated session user. Summary: OOTB Alfresco is secured against direct access
and the manipulation of reference.
A5-Security Misconfiguration: Default passwords are stored for JMX or installation
passwords stored as well. Summary: OOTB Alfresco does not encrypt initial admin
password, JMX read and write password and DB connection password. In case of using
Alfresco internal DB for users, their passwords are stored in MD4.
A6-Sensitive Data Exposure: We do not typically store user-sensitive information in
Alfresco. Summary: OOTB Alfresco is secure from exposure of sensitive data. This
assumes correct ACL/permission application and that the server has not been
compromised allowing direct access to the underlying file-system.
A7-Missing Function Level Access Control: Alfresco enforces 'roles' and group-
membership to define the function access that a user may have. Summary: OOTB
Alfresco is secured against function level access control. Security ACL checks against role
and group occurs on the server not just to hide or expose UI elements.
A8-Cross-Site Request Forgery (CSRF): See 'Introducing the CSRFPolicy in Alfresco
Share'55. OOTB Alfresco is secured against CSRF attacks. Pre go-live checks must ensure
that configuration changes have not disabled this security feature.
A9-Using Components with Known Vulnerabilities: According to the Alfresco public
JIRA, there are no known exploitable components used by Alfresco. An audit is required
to every third party component should be done to confirm this. Alfresco recommends
the latest security patched version of Alfresco and its supported components, as well of
OS, Java, Application Server and DB server. Summary: OOTB Alfresco is secure, at the
time of writing. Best practice should include the patching of dependent components
with the latest security patches as they become available. Typical components to
consider for an ongoing patch policy: Operating System RHEL/CentOS/Win2008R2;
Database MySQL/Oracle/MSSQL; Java updates; third-party out-of-process command-
line tools (anything outside the JVM sandbox such as Open Office / ImageMagick, etc.).

54
http://blogs.alfresco.com/wp/kevinr/2012/06/19/configuring-the-share-html-processing-blackwhite-list/
http://blogs.alfresco.com/wp/ewinlof/2013/03/11/introducing-the-new-csrf-filter-in-alfresco-share/
55
42
10. A10-Unvalidated Redirects and Forwards: Alfresco allows the display of user-defined
hyperlinks, potentially to external websites, but these are not forwards or re-directs.
Alfresco Share does allow the arbitrary embedding of IFrames within the UI, either
through the 'web view' dashlet, or within custom developed code, and this does need
protection. This risk is mitigated with the introduction of the 'IFramepolicy'. See
'Introducing the IFramePolicy in Alfresco Share'56. The default configuration allows any
page to be iframed. Summary: OOTB Alfresco is not secure against non-validated
redirection. However a simple configuration change enforces the security.
The Alfresco software engineers take care about OWASP security standard by using a software
plugin57 that defines a list of vulnerabilities that can occur in any software project. It provides
rules engines to find violations that can be matched with a lot of OWASP vulnerabilities,
allowing us to know the security level reached.
HIPAA
The US Government Health Insurance Portability and Accountability Act can be applied or
adopted by Alfresco taking into account considerations below:

Audit everything (who accessed, when accessed and what). Alfresco does it and stores
all in the DB.
Encrypt PHI, is not a requirement but to avoid reporting in case of information lost
(backup tape for example). Alfresco does it with encrypted metadata by using the
property called d:encrypted in the data model, and encrypting the backup as well.
Encrypt Content (encryption at rest), as normal recommendation the backup should be
encrypted.
For index a best practice is to encrypt the backup or dont do backup to avoid losing
backup tape and have to report it. Indexing can be re-build in case of need.
Disable Quick Share feature in Share.
Enable HTTPS.
Optionally: retention policies (it may vary depending on every US State) and can be
implemented with Alfresco RM.

56
http://blogs.alfresco.com/wp/ewinlof/2013/03/12/introducing-the-iframepolicy-in-alfresco-share/
57
http://www.excentia.es/plugins/owasp/caracteristicas_en.html

43
FISMA
FISMA compliance is a mandate against the operating environment where Alfresco may be
deployed. The application is not subject to any specific certification, but may be monitored as
part of a FISMA security plan.
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is a unified, government-
wide risk management program focused on large outsourced and multi-agency systems.
FedRAMP has been established to provide a standard approach to Assessing and Authorizing
(A&A) cloud computing services and products. FedRAMP allows joint authorizations and
continuous security and monitoring services for Government and Commercial cloud
computing systems intended for multi-agency use.

Alfresco's traditional products (Alfresco One, Activiti, etc.) are not directly subject to FedRAMP
authorization, rather, the customer is responsible for validating that their Alfresco deployment
specifically complies with the different FedRAMP requirements. This applies to both on-prem
and cloud-hosted deployments.

At the moment, Alfresco has not made any specific commitment to obtain FedRAMP
authorization for Alfresco in the Cloud or any future SaaS products.
ISO 27001
ISO 27001 is an international standard published by the International Standardization
Organization (ISO), and it describes how to manage information security in a company.

Alfresco application is not subject to this certification but it may be used as main repository for
document centralization and management for creation, review and approval, distribution,
categorization, usage and updates of the documents and records.
PCI Data Security Standard

This section is a quick point approach to highlight some of PCI-DSS requirements and how
Alfresco may assist in compliance.

Alfresco uses standard TCP/IP connectivity with common protocols such as https
(encrypted for security) allowing organizations to easily integrate with existing firewalls
and other intrusion detection/prevention services.
Alfresco provides default database names and accounts for simple deployment. These
are usually setup upon first launch of Alfresco. However, in order to recognize the needs
of such requirements as PCI-DSS, these can be simply overridden through a
configuration file change, allowing the organization to create uniquely named databases
and database accounts. We have well documented methods to how to perform this
44
task. Integration with enterprise database systems allow for DBAs to enable encrypted
writes directly into database tables without modifying Alfresco in any way.
Alfrescos Records Management Module allows for compliance management for data
retention, such as retention and disposition schedules, auditing of access to records,
destruction and data deletion as well as event triggers, eDiscovery and so forth.
Alfresco can be configured to use strong SSL encryption for https connections, allowing
for encryption of data inflight once authorized access to that data has been approved
via Alfrescos Authentication, Authorization and Permissions Management subsystems.
Alfresco stores files as their native data streams and metadata in the database. This can
be integrated with standard corporate Antivirus applications to ensure compliance.
As has been already said in this guide, Alfresco takes security very seriously and has a
rigorous vulnerability detection program working with third party security organizations
to perform penetration testing. Alfresco has a process in place to then quickly patch,
test, release and inform Alfresco One customers of any breaches.
Alfresco provides a complete authentication and authorization subsystem along with a
granular permissions management system that can be integrated with corporate
directory services to enable secure user access only to data they have been authorized
to see. Management can be performed at the individual user level or by group
membership this allows an organization to easily develop role-based access to data
and content.
All users have a unique ID - whether that granted by the corporate directory service, or
internally for users that are not part of the directory structure. Alfresco has a complete
auditing subsystem that can be incorporated into enterprise reporting applications.
Alfresco provides a complete auditing subsystem that tracks reads and writes to all
content and metadata within the repository. This auditing mechanism can be integrated
with enterprise reporting tools, or custom interfaces (eg web) and delivery methods
(email, RSS feeds, etc) can be built and maintained.

45
Appendix I: Security Checklist

Alfresco Security Check List
This is a list of basics checks to perform in any Alfresco production deployment. In case of cluster, these checks should be
passed to all nodes. Please read this document before in order to understand all checks below:
Server Name: ____________________________________
Server IP Address: ________________________________
! Last Service Pack / Hot fix of the Alfresco existing
version installed
! Changed default admin password
! If Linux, run the application server as non root
user
! Changed the default JMX passwords for
controlRole and monitorRole
! Switched to SSL all required services using a
custom/owned certificate (not default cert):
! HTTP / Webdav / API
! Enable HSTS
! Force secure cookies
! SharePoint Protocol
! IMAP
! FTP
! SMTP INBOUND
! SMTP OUTBOUND
! Solr (SSL by default), if in separate tier
! If clustered: JGroups or Hazelcast
(optional)
! Alfresco JDBC to DB communication
(optional)
! Check certificate strength
! Change file permissions to allow only the
application user to see and write these files
and/or directories (i.e. Linux: chmod 0600 <path-
to-file>):
! alfresco-global.properties
! dir_root/contentstore
! dir_root/solr or dir_root/lucene-
indexes
! Alfresco and application server logs are all in the
same directory, with the proper security
permissions and logs rotation configured (app
server logs, alfresco.log, share.log, solr.log)
! If Alfresco is connected to internet remove the
Alfresco banner in the Share login page
! If LDAP, AD or third party authentication is
enabled, any communication between Alfresco
and the authentication server is through SSL (i.e.
636 TCP for LDAPS).
! If Alfresco Replication Service is needed:
! Use HTTPS
! Do not replicate with admin user
! Disabled unneeded services
! Enabled audit if required
! Disabled guest user
46
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Backup and Disaster Recovery software

configured and tested for indexes, db,
contentstore, installation, configuration and
customization files
Deleted files under control
! The trashcan has to be emptied
manually or install trashcancleaner
! Configured Alfresco to delete files from
file system when the trashcan is
emptied (eagerCleaner)
! A shell script to delete
contentstore.deleted once a week
Local and network firewalls are properly
configured for both inbound and outbound
traffic
Monitoring services availability through JMX
with solutions like Hyperic, Nagios or JMelody
Encryption at rest is enabled (available in
Alfresco One 5.0)
Passwords in properties files are encrypted
(available in Alfresco One 5.0)
Check file-servers-custom.xml permissions if
Kerberos is configured
Check FSTR configuration files permissions if is
configured (it has password inside)
Embedded metadata is still in every file, clean
this before content leaves Alfresco, to prevent
information leaks through metadata
API, services and Share proxy accesses are
protected
In case of integration with third party
applications, establish a dedicated Alfresco
authenticated user versus using the admin user
CSRF is enabled in Alfresco Share (default)
Alfresco Share IFramePolicy is configured as
deny
Enable SecurityHeadersPolicy, in Share that
mitigates clickjacking attacks
Configure HTML processing black/white lists
(optional)
Custom error page created at web server or
application server level (optional)
Use a network IDS on top of Alfresco server
(optional)
Use a Web Application Firewall on top of
Alfresco (optional)
Use an antivirus solution at the server side or
through communication and an Advanced Threat
Protection System (optional)
Appendix II: Third Party Libraries included in Alfresco

Alfresco embeds third party libraries in the product and it is important to consider them for
Security and Compliance reasons.
Third Party Software (as of 4.2.x)
Apache 1.1 variant License

o Xpp3
http://www.extreme.indiana.edu/xgws/xsoap/x
pp/
Apache 1.1 - License
o Avalon framework
http://avalon.apache.org/framework/
o Spring Modules http://springmodules.java.net/
Apache 2.0 - License
o Abdera
http://projects.apache.org/projects/abdera.html
o Acegi
http://sourceforge.net/projects/acegisecurity/
o Activiti http://www.activiti.org/index.html
o Alfresco Open CMIS
http://code.google.com/a/apache-
extras.org/p/alfresco-opencmis-extension/
o Ant http://ant.apache.org/
o Axiom http://ws.apache.org/axiom/
o Axis https://axis.apache.org/axis/
o Batik http://xmlgraphics.apache.org/batik/
o Bcel
http://commons.apache.org/proper/commons-
bcel/
o Bsf
http://commons.apache.org/proper/commons-
bsf/
o Boilerpipe
https://code.google.com/p/boilerpipe/
o Catalina http://tomcat.apache.org
o cglib http://cglib.sourceforge.net/
o Apache Chemistry http://www.apache.org/
o Apache-mime
http://james.apache.org/mime4j/index.html
o Apache CXF http://cxf.apache.org/
o ehcache http://ehcache.sourceforge.net/
o Fast Infoset Project https://fi.java.net/
o fop http://xmlgraphics.apache.org/fop/
o Google Data Java Client Library
http://code.google.com/p/gdata-java-client/
o Geronimo http://geronimo.apache.org/
o Greenmail
http://www.icegreen.com/greenmail/readme.ht
ml
o Groovy http://groovy.codehaus.org/
o guess encoding
http://docs.codehaus.org/display/GUESSENC/Ho
me
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
hazelcast http://www.hazelcast.com/index.jsp
ibatis http://ibatis.apache.org/
jakarta-oro http://jakarta.apache.org/oro/
Jackson
http://wiki.fasterxml.com/JacksonDownload
Jcr http://jackrabbit.apache.org/
joda-time http://joda-time.sourceforge.net/
jstl http://tomcat.apache.org/taglibs/standard/
livetribe http://livetribe.codehaus.org/
log4j http://logging.apache.org/log4j
lucene http://lucene.apache.org
metadata-extractor
http://code.google.com/p/metadata-extractor/
myfaces http://myfaces.apache.org/
naming http://tomcat.apache.org
Neethi http://ws.apache.org/commons/neethi/
opensaml http://www.opensaml.org/
OpenSSL http://www.openssl.org/
pdfbox http://pdfbox.apache.org/
POI http://poi.apache.org/legal.html
Spring Framework
http://www.springsource.com/download/comm
unity?sid=453581
Quartz resolver http://quartz-scheduler.org/
Rome https://rometools.jira.com/wiki/
shale http://shale.apache.org/
Spring.net http://www.springframework.net/
STAX http://camel.apache.org/stax.html
XML Commons Apache
http://xml.apache.org/commons/
Xalan-j http://xml.apache.org/xalan-j/
Xerces2-j http://xerces.apache.org/xerces2-j
XML Beans
http://xmlbeans.apache.org/news.html
XML Graphics http://xmlgraphics.apache.org/
SMTP
http://subethasmtp.tigris.org/project_license.ht
ml
Apache Tika
wss4j http://ws.apache.org/wss4j/
WoodStox http://woodstox.codehaus.org/
commons-resolver
http://svn.apache.org/viewvc/xml/commons/tag
s/xml-commons-resolver-
1_2/LICENSE?view=markup
RPC http://ws.apache.org/xmlrpc/project-
info.html

XML Schema
http://ws.apache.org/commons/XmlSchema
o Xmlsec http://santuario.apache.org/
o Solr http://lucene.apache.org/solr/
o vorbis https://github.com/Gagravarr/VorbisJava
BSD License
o Antlr v3 http://www.antlr.org
o ASM http://asm.ow2.org/
o Bubbling http://www.bubbling-library.com/
o CSS Boilerplate http://code.google.com/p/css-
boilerplate/
o dom4j http://dom4j.sourceforge.net/
o fontbox http://xmlgraphics.apache.org/fop/
o FreeMarker http://freemarker.sourceforge.net/
o jibx-* http://jibx.sourceforge.net
o jta http://java.sun.com/products/jta/
o libfreetype http://www.freetype.org/
o libgif http://giflib.sourceforge.net/
o libjpeg http://libjpeg.sourceforge.net/
o libpng http://www.libpng.org/
o libtiff http://www.libtiff.org/
o libz http://zlib.net/
o nunit http://www.nunit.org/
o One-Jar http://sourceforge.net/projects/one-jar
o PostgreSQL http://www.postgresql.org
o STAX Utils http://stax-utils.java.net/
o Tuckey URL rewriter
http://tuckey.org/urlrewrite/manual/3.0/introdu
ction.html
o Xmpcore
http://www.adobe.com/devnet/xmp.html
o Xstream YUI
http://xstream.codehaus.org/license.html
o YUI http://yuilibrary.com/
CDDL
o JaxB http://jaxb.java.net/
o jaxrpc http://jax-rpc.java.net/
o JAXWS http://jax-ws.java.net/
o mail http://glassfish.java.net/javaee5/mail/
o MIME pull http://mimepull.java.net/
o SAAJ http://saaj.java.net/
o StAXExtendedAPI http://stax-ex.java.net/
o xml-apis http://jaxp.java.net/
Commercial license
o Bitrockinstaller http://bitrock.com/
CPL 1.0 License
o htmlparser http://htmlparser.sourceforge.net/
o Junit http://sourceforge.net/projects/junit/
o wsdl4j http://sourceforge.net/projects/wsdl4j
Creative Commons Attribute License
o JSTextReader AS3
http://creativecommons.org/licenses/by/3.0/us/
legalcode
Dojo Licensing, BSD & Academic
o Dojotoolkit http://dojotoolkit.org/
Eclipse Public License
o Wikipedia
http://sourceforge.net/projects/plog4u/
o
o TrueLicense http://truelicense.java.net/
o truezip http://truezip.java.net/
Free Software
o icu4j http://icu-project.org/
o json http://www.json.org/java/
o netcdf
http://www.unidata.ucar.edu/software/netcdf/c
opyright.html
GPL Affero GPL
o GhostScript http://www.ghostscript.com/
GPL V2
o ncurses http://www.gnu.org/software/ncurses/
o libiconv http://www.gnu.org/software/libiconv/
o libstdc++ http://gcc.gnu.org/libstdc++/
GPL V3
o SWF Tools http://wiki.swftools.org
Imagemagick
o Imagemagick
http://www.imagemagick.org/script/license.php
LGPL 2.1
o hibernate http://www.hibernate.org/
o htmlparser http://htmlparser.sourceforge.net/
o JBPM http://www.opensource.org/licenses/lgpl-
license.php
o Jgroups http://www.jgroups.org/
o jid3lib http://jid3lib.java.net/
o jug-lgpl
http://mvnrepository.com/artifact/org.safehaus.
jug/jug/2.0.0
o libwmf
http://wvware.sourceforge.net/libwmf.html
o PDF Renderer http://java.net/projects/pdf-
renderer
o TinyMCE
http://tinymce.moxiecode.com/tinymce/docs/lic
ense.html
LGPL 3.0
o jayrock http://jayrock.berlios.de/
o Jmagick
http://sourceforge.net/projects/jmagick/
o JODConverter
http://jodconverter.sourceforge.net/
o jTDS Project
http://jtds.sourceforge.net/license.html
o Jut.jar
http://www.openoffice.org/licenses/lgpl_license
.html
o OpenOffice
http://www.openoffice.org/license.html
Microsoft Redistributable
o Microsoft Visual C++ 2008 Redistributable
Package
MIT License
o bcmail-jdk http://www.bouncycastle.org/
o bcprov-jdk http://www.bouncycastle.org/
o facebook http://code.google.com/p/facebook-
java-api/
o Jutf7 http://jutf7.sourceforge.net/license.html

Mockito
http://www.opensource.org/licenses/mit-
license.php
o SLF4J http://www.slf4j.org/license.html
o Mootools http://docs.mootools.net/
MPL
o rhino-js http://www.mozilla.org/rhino/
o juniversalcharsetdet
http://juniversalchardet.googlecode.com/
ODMG License
http://www.odbms.org/ODMG/OG/wrayjohnson.asp
x
o odmg http://www.odmg.org/wrayjohnson.htm
Oracle Binary Code License Agreement
o activation
http://www.oracle.com/technetwork/java/jaf11-
139815.html
o Oracle JDK
http://www.oracle.com/technetwork/java/javas
e/terms/license/index.html
Public Domain License
o AOP Alliance http://aopalliance.sourceforge.net/
o hrtlib http://www.javaworld.com/javaqa/2003-
01/01-qa-0110-timing.html
o XZ http://tukaani.org/xz/java.html
Sun Public License
o BSH http://www.beanshell.org/
XAM
o XAM Connector
http://www.emc.com/products/detail/software/
centera-sdk-xam.htm
o

Alfresco has modified the source code of the following
third party libraries. Below is the list of modified modules
and corresponding licenses. The svn diff files with the
details of the changes can be found in the following
location: root/projects/3rd-party/src.
Apache2
o acegi commons
http://sourceforge.net/projects/acegisecurity/
o dbcp http://jakarta.apache.org/commons/
o Apache CXF http://cxf.apache.org/
o Greenmail
http://www.icegreen.com/greenmail/readme.ht
ml
o jslideshare
http://code.google.com/p/jslideshare/
o pdfbox http://pdfbox.apache.org/
o POI http://poi.apache.org/legal.html
o mybatis http://code.google.com/p/mybatis/
o quartz http://quartz-scheduler.org/
o Apache Tika
http://lucene.apache.org/tika/license.html
o TrueLicense https://truelicense.dev.java.net/
o wss4j http://ws.apache.org/wss4j/
o Spring Surf
http://www.springsource.com/download/comm
unity
Artistic (BSD style)
o chiba http://sourceforge.net/projects/chiba
BSD
o FreeMarker http://freemarker.sourceforge.net/
o YUI http://developer.yahoo.com/yui/
o jibx http://jibx.sourceforge.net/jibx-license.html
LGPL 3.0
o JODConverter
http://jodconverter.sourceforge.net/
LGPL 2.1
o hibernate http://www.hibernate.org/
o PDF Renderer http://java.net/projects/pdf-
renderer
MPL
o rhino-js http://www.mozilla.org/rhino/

Alfresco Security Best Practices - Guide

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Alfresco Security Best Practices - Guide

Încărcat de

Drepturi de autor:

Formate disponibile

Guide