Does PaperCut store any passwords?

User authentication is performed by the operating system - usually via a directory service such as Active Directory or LDAP. PaperCut does not store any user passwords and instead interrogates the directory service in real-time. Caching or storing passwords is regarded as a security risk. The only exception to this rule is the built-in admin user account. This password is stored in a one-way hashed format in the server.properties file. This account is kept separate from the directory user accounts ensuring that administrator level login is still possible even during a directory outage.

What level of encryption does PaperCut use?

Client-server communication of sensitive data is conducted over an SSL link - this is an equivalent level of encryption to that used by a web browser connected on an https:// website.

How can I restrict access to the XML Web Service API's?

Two levels of access control is provided for the web services API's. The first is that any call needs to pass a valid authentication token (usually the admin user's built-in password). All calls not passing this will be rejected. The 2nd level of security is IP address level filtering. By default PaperCut will only allow calls from localhost (127.0.0.1), and optionally this can be extended to other servers by manually granting that server's IP address. Valid IP addresses/ranges are defined under the Options section.

Categories: Implementation, Architecture, Security