Configuration

This chapter describes security, session, and access settings you can use to configure the AccuRev Web UI.

Security Considerations for Web Applications

Like other client/server applications, AccuRev takes advantage of two layers of security, the organization’s network security measures, and AccuRev’s own security settings.

Network and application security measures are typical for applications accessing data within an organization’s LAN, or over a VPN or similar secure connection, but web applications, like the AccuRev Web UI, present a unique set of security issues common to applications accessing data directly over the Internet.

At a minimum, we recommend you take the following measures to secure your use of the AccuRev Web UI:

  • Install an SSL certificate on the machine running Tomcat web server to encrypt web traffic. See http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html for information on installing and configuring SSL certificates on Apache Tomcat. If you are using Apache Tomcat 6.0, see http://tomcat.apache.org/ tomcat-6.0-doc/ssl-howto.html.
  • Implement password strength checking for the AccuRev Web UI. See Setting Login Security below for more information.
  • Review your existing AccuRev security measures. Consider the implications of an outsider gaining access to data stored in AccuRev. Set strong passwords for all AccuRev users, regardless of how they log in to AccuRev. Take advantage of AccuRev user and group permissions, and set ACL permissions to restrict user access by depot and stream to further secure the environment.
  • Consult with your local system administrator to determine the best way to run the Tomcat web server securely within your organization’s network.

Setting Login Security

We recommend that you implement user name and password strength checking for users logging in to the AccuRev Server using the AccuRev Web UI. Using the wui_config.xml configuration file, you can specify the following for both user name and password:

  • Minimum length.
  • Minimum number of digits.
  • Minimum number of letters.
Note: AccuRev uses a single user/password combination for all interfaces, so any password change made to conform to AccuRev Web UI security parameters specified in the wui_config.xml also affects your password for the AccuRev GUI and the AccuRev Command Line Interface.