Generally, developers do not use the production environment to build and test their applications. Therefore, you must administer user accounts and services that, although required in a private development environment, are not required in a production environment.
This article describes methods for reducing the overall attack surface through administration options that AEM Forms on JEE provides.
After AEM Forms on JEE is installed and configured, many services are available for remote invocation over SOAP and Enterprise JavaBeans™ (EJB).The term remote, in this case, refers to any caller that has network access to the SOAP, EJB, or Action Message Format (AMF) ports for the application server.
Although the AEM Forms on JEE services require valid credentials to be passed for an authorized caller, you should allow only remote access to the services that you need to be remotely accessible. To achieve limited accessibility, you should reduce the set of remotely accessible services to the minimum possible for a functioning system and then enable remote invocation for the additional services that you need.
AEM Forms on JEE services always need at least SOAP access. These services are typically required for use by Workbench but also include services that are called by the Workspace web application.
Complete this procedure using the Applications and Services web page in Administration Console:
Some forms server services permit unauthenticated (anonymous) invocation for some operations. This means that one or more operations exposed by the service may be invoked as any authenticated user or as no authenticated user at all.
If you intend to expose any of these services for remote invocation, you should also consider disabling anonymous access for these services. Otherwise, any caller with network access to this service may invoke the service without passing valid credentials.
Anonymous access should be disabled for any services that are not needed. Many internal services require anonymous authentication to be enabled because they need to be invoked by potentially any user in the system without being preauthorized.
End users can authenticate to AEM Forms through Workbench, AEM Forms web applications, or custom applications that invoke AEM Forms server services. One global time-out setting is used to specify how long such users can interact with AEM Forms (using a SAML-based Assertion) before they are forced to reauthenticate. The default setting is two hours. On a production environment, the amount of time needs to be reduced to the minimum number of minutes acceptable.