Prizm Content Connect
Security Guidance

The following sections discuss items that should be considered before deploying your application using PCC.

To prevent attacks on viewing sessions, refer to the "Secure Viewing Sessions" section below.

Prizm Services

Prizm Services is designed to be run as an internal web service. Steps should be taken to ensure that Prizm Services is not accessible to end-users or the public internet. Typically, this would involve configuring a firewall in-front of Prizm Services to block access to the port it is using. See the "Ports" section below for specific port information about Prizm Services.

Prizm Services Administration

Prizm Services includes an API to request real-time information about the state and health of the system. A sample ASP.NET web application is also included in the Windows installation that takes advantage of the administration API and demonstrates potential use cases.

The administration API provides information that can be helpful in diagnosing problems, but which may also be considered sensitive, like document information and specific processing tasks. Because of this, the administration sample or any application accessing the administration API of Prizm Services should not be accessible to end-users or the public internet.

Ports

The following are the default ports that should be open to access Prizm Services.

Single-server Mode:

Multi-server Mode:

Secure Viewing Sessions

The pcc.config file contains element tags that can help prevent users from setting inappropriate values should they attack the Prizm Services, which could render performance problems with the server. These values are properties in the ViewingSessionProperties object that a client-user passes to Prizm Services to start a viewing session. The following tags put limits on properties sensitive to abusive attacks:

Tags
Copy Code
<!--
  The regular expression check on ViewingSessionProperties.externalId to ensure appropriate values are being set. The default is to allow any string values.
  -->
  <ViewingSessionPropertyExternalId>.*</ViewingSessionPropertyExternalId>

 
  <!--
  The regular expression check on ViewingSessionProperties.documentExtension to ensure appropriate values are being set. The default is to allow any string values.
  -->
  <ViewingSessionPropertyDocumentExtension>.*</ViewingSessionPropertyDocumentExtension>

  <!--
   The minimum and maximum values allowed for ViewingSessionProperties.countOfInatialPages. Value of 0 means do all pages if min set to zero. The max value can be zero or a maximum value allowed for this property setting.
  -->
  <ViewingSessionPropertyCountOfInitialPages>min=0,max=10</ViewingSessionPropertyCountOfInitialPages>

  <!--
   The minimum and maximum dpi values allowed for rendering images.
  -->
  <Html5RenderRasterResolution>min=100,max=300</Html5RenderRasterResolution>

  <!--
  The permitted values for alwayseUseRaster can be true, false, or any (which means don't care). The default here is false which means svg files can be rendered.
-->
  <Html5RenderAcceptableRasterValue>false</Html5RenderAcceptableRasterValue>

  <!--
  The permitted values for serverCaching which can be none, full or any (which means take whatever is set). The default is none.
  -->
  <ViewingSessionPropertyServerCaching>none</ViewingSessionPropertyServerCaching>

 

 


©2015. Accusoft Corporation. All Rights Reserved.

Send Feedback