ESRI Developer Summit 2008ESRI Developer Summit 2008 11
Bryan BakerBryan BakerSud MenonSud Menon
Kevin DoshierKevin Doshier
Implementing Security for ArcGIS Server Implementing Security for ArcGIS Server for the Microsoft .NET Frameworkfor the Microsoft .NET Framework
Introductions
• Who are we?– Bryan Baker– Sud Menon– Kevin Doshier
• Who are you?
• Please complete the session survey – we take your feedback seriously!
PleasePleasesilencesilencedevicesdevices
Session agendaSession agenda
• Security overview• Configuring security settings in Manager• Securing Web applications• Securing GIS Web services• Using the Token service
ESRI Developer Summit 2008ESRI Developer Summit 2008 33
Security overview
• ArcGIS Server Manager at 9.3 enables you to:– Secure Web applications– Secure GIS Web services– Manage users and roles
• Could do these tasks at 9.2, but was a manual process
•• Tiered security model Tiered security model separates separates –– external web users from external web users from –– internal users (publishers and internal users (publishers and
administrators)administrators)
Web Server Web Server
Web BrowserWeb Browser
ArcGIS Server ArcGIS Server Security ZonesSecurity Zones
ArcMap, ArcMap, ArcGlobeArcGlobe
Content AuthorContent Author
ArcCatalog ArcCatalog AdministratorAdministrator
GeodatabasesGeodatabases
ArcGIS Explorer, ArcGIS Explorer,
ArcGIS Desktop,ArcGIS Desktop,
other ArcGIS Serversother ArcGIS Servers
GIS ServerGIS Server
ManagerManager
ArcGIS Server SystemArcGIS Server System
Web Mapping Web Mapping ApplicationsApplications
GIS Services GIS Services --Web Service EndpointsWeb Service Endpoints
GIS Services GIS Services --Server ObjectsServer Objects
Manager Manager Web ApplicationWeb Application
Users External to the SiteUsers External to the Site Users Internal to the Site : Users Internal to the Site : Authors, Publishers,Authors, Publishers,
AdministratorsAdministrators
ArcGIS Server SiteArcGIS Server Site
Multi Tiered Security ModelMulti Tiered Security Model
Web Web UsersUsers
Web Server Web Server
GeodatabasesGeodatabases
SOM/SOC SOM/SOC
Local Local and and
Admin Admin UsersUsers
Web Web UsersUsers
Database Database UsersUsers
Arc GIS Server System Arc GIS Server System
Local and Admin users are defined Local and Admin users are defined by the by the agsusersagsusers and agsadmin and agsadmin
operating system groups. operating system groups.
The users and roles of the Web The users and roles of the Web GIS System are defined using GIS System are defined using
Manager. Manager.
GIS Server GIS Server
Security overview
• ArcGIS Server 9.3 has role-based access control• Security features use ASP.NET security framework
– Internet Information Server (IIS)– ASP.NET
• Membership and role framework– Uses platform standards for user and role storage
• Features added at 9.3 to support security– Token service– GIS service permissions stored in the SOM
Security overview
• Focus here is on access control– Which users can access particular
services and applications
• Remember other security tasks– Security during transmission– Operating system – updates, virus
protection– Code – SQL injection, cross-site
scripting, etc.– Physical security– User education – phishing, etc.
Security model
Browser/DesktopApplications
WebWeb
Permission Store
(for services)
SOMSOM
Web serverWeb server
GIS Services
Web servicehandler
Tokenservice
Web applications
Manager
Principal Store
(Users & Roles)
View/Edit
Authenticate
Authenticate
Authorize
Edit
Steps to securing services and applications1. Decide where users and roles will be stored2. Install supporting items as needed
– SQL Server (Express)– Secure Sockets Layer (SSL) certificate for Web server
3. Configure security in Manager– Configure location for users and roles– Add and manage users and roles
4. Secure Web application(s) using Manager*- and/or -
5. Secure GIS Web services using Manager
Adapted from ArcGIS Server Help, “Internet security checklist”
*or other toolsfor customapplications
Decide where users and roleswill be stored• Options for ArcGIS Server for Microsoft .NET
Frameworka) Windows users and groupsb) Microsoft SQL Serverc) Custom provider
• User and role store usually same place, but can have– Windows users + SQL Server roles– Windows users + roles in custom provider– SQL Server users + roles in custom provider
User and role store options:a) Windows users and groups• Local accounts on the Web
server, or accounts on the domain– Can also have roles in SQL Server
or custom provider
• Typically used on intranets • Can have automatic login with
Internet Explorer– User’s logged-on identity passed
over intranet with Integrated Windows Authentication
User and role store options:b) SQL Server• SQL Server Express or
full version– Express version included on
installation CD
• Users and roles stored in database tables
• Membership and role database can be created by Manager
User and role store options:c) Custom provider• Enables other options for users and
roles– Other databases (Oracle, etc.)– XML file– LDAP, Active Directory, etc.
• Using the standard ASP.NET membership provider framework
• How?– Acquire and configure a .NET membership
provider
• See ArcGIS Server Help for details
Oracle
XML
How will users be authenticated?
• Authentication = verify identity of the user
• Options– IIS-controlled (“Windows”) authentication
• Web server authenticates the user• Includes Basic, Digest, Integrated Windows
– Forms authentication• User logs in with a form on a Web page• For Web applications only
– ArcGIS Server Token-based authentication• For GIS services only• More on Token service later
Authentication methods available for user stores
IIS-controlled
Custom provider
SQL Server
*Windows users
Forms (applications only)
Tokens (services only)Integrated
WindowsHTTP Digest
HTTP Basic
User store location
* = only with roles in SQL Server
Authentication with Windows users
• Integrated Windows Authentication (IWA)– Automatically authenticates the logged-in Windows user– Only feasible over an intranet– May be the default method in IIS
• HTTP Basic– Use SSL/https to encrypt credentials
• HTTP Digest– Protects credentials from capture, though SSL may be
recommended
• Token-based authentication– Currently supported only when roles in SQL Server
Install supporting items for security
• User/role store software– None needed if users and roles will be Windows operating
system users and groups– Microsoft SQL Server
• Full or Express version • Express version included with ArcGIS Server
– Custom provider• Install any required software and data• Add provider elements into the Security configuration file• See ArcGIS Server Help for information
Custom user/role store –only if add provider toSecurity config file
Install supporting items for security(continued)• Secure Sockets Layer (SSL) certificate
– Enables using HTTPS on the Web server– Necessary unless users are Windows users
• AND set authentication on Web service/application to Integrated Windows authentication
– HTTPS required by default for token service– See ArcGIS Server Help for tips on acquiring certificate
Session agendaSession agenda
• Security overview• Configuring security settings in Manager• Securing Web applications• Securing GIS Web services• Using the Token service
ESRI Developer Summit 2008ESRI Developer Summit 2008 2020
Configure security in Manager
• Set the location for user and role stores– Security Settings
Change– Use wizard to
configure location
Configure security in Manager(continued)
• Add/edit users and roles– With SQL Server, you
can add/edit in Manager– With Windows users, use
operating system tools– Custom provider depends on
the provider• Password strength
– Manager requires password of 7+ characters and 1+ non-alphanumeric
• This default can be changed
• Add users to roles– Permissions are role-based
Demo
Configuring security in Manager
Session agendaSession agenda
• Security overview• Configuring security settings in Manager• Securing Web applications• Securing GIS Web services• Using the Token service
ESRI Developer Summit 2008ESRI Developer Summit 2008 2424
Secure Web application(s) with Manager• Security button in
Manager Applications• Enable security• Add permitted role(s)
– Notice role-based security, not user-based
• Permission rules are stored in the application– Web.config -
<authorization> element
Using a secured Web application
• User will be prompted to login– Login.aspx page when
users in SQL Server or custom provider
– Pop-up dialog with Windows users
• Application page– Displays login name– Logout link
• When logged in with forms authentication
Demo
Securing a Web application with Manager
Controlling application content based on role
• Question: How can I show or hide content depending on the role?– Tools, tasks, layers, map, etc.
• Answer: Same approach as at 9.2– Developer must add code:
• Get user’s role• Remove or add content
depending on role– See sample in Developer Kit
• “Common_Security”
Demo
Modifying Web application content based on user’s role
Session agendaSession agenda
• Security overview• Configuring security settings in Manager• Securing Web applications• Securing GIS Web services• Using the Token service
ESRI Developer Summit 2008ESRI Developer Summit 2008 3030
UC 2007 Tech SessionsUC 2007 Tech Sessions 3131
Securing GIS Web services - overview
• ArcGIS Server 9.3 has a role-based security model– Permissions on folders and individual services– Services inherit permissions from containing folder
• Security for a GIS service applies to all supported Web interfaces– SOAP, REST, OGC, KML
• Desktop, JavaScript and Web ADF applications can consume secure services
• Services Explorer respects service permissions• Same security for both .NET and Java versions
Securing local connections to GIS services
• Two ways to connect to an ArcGIS Server service
1. Local connection– Works only on intranets– Access to all server functionality– Security at 9.3 is same as at 9.2
– User must be a member of the agsusers or agsadmin groups
2. Web service connections– SOAP, REST, WMS, KML– Works on intranets and over Internet– New security options apply here
Securing GIS Web services
• Permissions buttonfor services andfor folders
• Services inherit folder permissions– Good practice to
secure folders• Add permitted role(s)• Permissions are
stored in the SOM
Warning – Access restrictions not
actually applied yet.
Securing GIS Web services (continued)
• Special roles for GIS Web services– Everyone: all users permitted whether provide login
or not– Authenticated Users: users who provide a valid
login– Anonymous: users who do not provide a login
• Only with SQL Server or custom provider– For SQL Server, Manager can add these roles when
configuring roles– For custom provider, role names must be added
separately• See ArcGIS Server Help for naming and details
Securing GIS Web services (continued)
• Security for services is set separately from permissions– Security-Settings tab
• Security is applied to all services, not individually
• Set permissions before you enable security
• Cannot disable security in Manager
Using secured services
• ArcGIS Desktop, ArcGIS Explorer– Provide user name and
password in the connection dialog
• Web applications– Manager: use “Access
secured services”– Visual Studio: add identity in
the resource manager• SOAP, REST and
JavaScript clients– Use token or Windows
authentication– More on this shortly
Server API for permissions
• For server object extension developers– Code makes local connection as
agsusers/agsadmin– May want to restrict end user access to
services based on user login
• SOM implements interfaces for security– IPermissionsManager
• Methods to query permissions for services/folders
• User identity pushed to Server Context– Available to SOE developers
• See Library Reference – Server overview
Demo
1. Securing GIS Web services with Manager
2. Consuming a secured service in Desktop
Session agendaSession agenda
• Security overview• Configuring security settings in Manager• Securing Web applications• Securing GIS Web services• Using the Token service
ESRI Developer Summit 2008ESRI Developer Summit 2008 3939
Using the Token service
• New service installed with ArcGIS Web instance• Why was it added?
– Enables users to be stored in location other than operating system
– Provides a secure mechanism to authenticate the user– Enables authentication for JavaScript/REST-based
applications– Will enable a single server for authentication in a federated
system (post 9.3 final)
• Used only with GIS Web services– Not used by default with Windows users– Not used to authenticate Web application users
How does the Token service work?
ArcGIS Desktop
Permission Store
(for services)
SOMSOM
Web serverWeb server
GIS Services
Web servicehandler
Tokenservice
Principal Store
(Users & Roles)
1. Client requestsservice2. Server: tokenrequired
3. Clientrequeststoken
4. Credentialsvalidated
6. Client requestswith token 5. Server
returnstoken
7. Server gets user’s rolesand authorizes roles
8. Server returnsservice data
What is in a Token?
• Token is a string with encrypted information:– User name– Expiration time– Optional: ID of the client
• IP address or Web URL (HTTP Referrer)• If included, expiration can be a longer time period (weeks/months)
– Used by most clients – Desktop, ADF, JavaScript/REST applications, etc.
• If not included, shorter expiration time – needs to be renewed
Working with the Token service
• Most clients will work with tokens automatically– Desktop (ArcMap, ArcCatalog, ArcGlobe) and Engine– ArcGIS Explorer– Web ADF (.NET and Java) and Mobile ADF
• Some clients will require explicit token management– SOAP-based clients not using ADF
• Use server-side code to acquire and use token• See Developer Help for details and examples
– JavaScript/REST clients• Developer obtains a token from get-token
Web page • Developer embeds token in the Web
application code
Working with the Token service (continued)
• Some clients will require explicit token management– SOAP-based clients not using ADF
• Use server-side code to acquire and use token• See Developer Help for details and examples
– JavaScript/REST clients• Developer obtains a token from get-token
Web page • Developer embeds token in the Web
application code
Working with the Token service(continued)• GIS service can provide the Token service URL• Requesting a token
– Requires HTTPS by default– Example:
https://myserver/arcgis/tokens?request=getToken&username=myUser&password=secret&clientId=ip.127.0.0.1&expiration=120
• Using a token– Append the token to the URL of the server– Example:
http://myserver/arcgis/services/USA/MapServer?token=hpWKwqlTkOKiQipeXmyKQLLDOSZBRjGpp%...
• Refreshing the token– If token may expire, include code to renew it– Server returns HTTP error code of 498 for expired token
Demo
Using tokens in a SOAP client
Security resources for 9.3
• Server Help• Developer Help• Help for JavaScript APIs
– ArcGIS JavaScript– Virtual Earth– Google Maps
Summary
• Manager at 9.3 enables users to– Configure user and role stores– Secure Web applications– Secure GIS Web services
• Clients work with security– Desktop, Engine and Web ADF work seamlessly– SOAP and JavaScript clients may require working with tokens
In ConclusionIn Conclusion……
•• All sessions are recorded and will be available on EDNAll sessions are recorded and will be available on EDN–– Slides and code will also be availableSlides and code will also be available
•• Please fill out session surveys!Please fill out session surveys!
•• Still have questions?Still have questions?1.1. Tech talkTech talk2.2. ““Ask a DeveloperAsk a Developer”” link on web pagelink on web page
•• www.esri.com/devsummit/techquestionswww.esri.com/devsummit/techquestions
ESRI Developer Summit 2008ESRI Developer Summit 2008 4949