FME Server Security: Review of authentication methods

Article Number: 000002012 - Last Modified: Aug 26, 2011

FME Server ships with security tuned on by default. When security is enabled, the Web User Interface and the Web Administrator User Interface have login and logout capabilities and you are required to authenticate when interacting with the services. The REST API uses token security which we will also discuss.

Answer

Authentication

Authentication is the process used to determine that a user is who they say.

If you elect to enable FME Server security you will be required to authenticate to access all of the services which ship with FME Server. This will include the Web User Interface and the Web Administrator User Interface which will have login and logout capabilities. The REST API will also be secured but it uses a slight different method which I will discuss later.

Basic Authentication

The FME Server services (except the REST API) use basic authentication to limit access. Basic authentication does not encypt the password sent to the server as it is sent as plain text. Basic authentication is therefore good if the connection between the client and server computers is secure and can be trusted (i.e. local intranets).

If you interact with a URL that requires authentication the user will be prompted to enter their username and password. If you wish to share a link or bookmark a page you can also include the username/password in the URL so it authenticates automatically. Simply construct a URL similar to this:

http://username:password@www.example.com…

e.g.

http://admin:admin@localhost/fmedatadownload/Samples/austinDownload.fmw

Note this is not supported in IE.

Secured FME Server

If you wish to deploy a more secured setup FME Server support SSL. Details on how to do this are located in the FME Server Admin Guide.

Removing Authentication from specific components

Many of our customers remove authentication from specific components of FME Server. The most common scenerio is to unsecure the services which run jobs i.e. Data Download, Data Streaming, Job Submitter. That way you can share links with people such as without them logging in:

http://fmeserver.com/fmedatadownload/Samples/austinDownload.fmw

but the rest of FME Server still requires authentication to access:

http://fmeserver.com/fmeserver/services

To do this you need to ensure the resource is assigned to the guest account.

Authorization

Authorization – also known as Access Control – is the process used to determine what activities a user is permitted to undertake.

FME Server includes a role-based control framework, so that administrators can assign each user to a different role with different permissions. That way they can specify exactly which users have permission to carry out which tasks. You configure this by accessing the Security tab in the FME Server admin area.

REST API

The FME REST service uses token-based security. The token service allows the developer to generate a token, which then acts as a key for accessing the secure REST interface. The token is a string of encrypted information sent between client and server.

Within FME Server you can generate a token for a set period of time using the user's credentials. For the duration specified, the token will be valid, and should be used whenever accessing the REST API.

Token security is not as secure as certain other methods such as Integrated Windows authentication as the security of the system depends on controlling access to the tokens.