implementing security for arcgis server for the …...–internet information server (iis)...

ESRI Developer Summit 2008ESRI Developer Summit 2008 11

Bryan BakerBryan BakerSud MenonSud Menon

Kevin DoshierKevin Doshier

Implementing Security for ArcGIS Server Implementing Security for ArcGIS Server for the Microsoft .NET Frameworkfor the Microsoft .NET Framework

Introductions

• Who are we?– Bryan Baker– Sud Menon– Kevin Doshier

• Who are you?

• Please complete the session survey – we take your feedback seriously!

PleasePleasesilencesilencedevicesdevices

Session agendaSession agenda

• Security overview• Configuring security settings in Manager• Securing Web applications• Securing GIS Web services• Using the Token service


Security overview

• ArcGIS Server Manager at 9.3 enables you to:– Secure Web applications– Secure GIS Web services– Manage users and roles

• Could do these tasks at 9.2, but was a manual process

•• Tiered security model Tiered security model separates separates –– external web users from external web users from –– internal users (publishers and internal users (publishers and

administrators)administrators)

Web Server Web Server

Web BrowserWeb Browser

ArcGIS Server ArcGIS Server Security ZonesSecurity Zones

ArcMap, ArcMap, ArcGlobeArcGlobe

Content AuthorContent Author

ArcCatalog ArcCatalog AdministratorAdministrator

GeodatabasesGeodatabases

ArcGIS Explorer, ArcGIS Explorer,

ArcGIS Desktop,ArcGIS Desktop,

other ArcGIS Serversother ArcGIS Servers

GIS ServerGIS Server

ManagerManager

ArcGIS Server SystemArcGIS Server System

Web Mapping Web Mapping ApplicationsApplications

GIS Services GIS Services --Web Service EndpointsWeb Service Endpoints

GIS Services GIS Services --Server ObjectsServer Objects

Manager Manager Web ApplicationWeb Application

Users External to the SiteUsers External to the Site Users Internal to the Site : Users Internal to the Site : Authors, Publishers,Authors, Publishers,

AdministratorsAdministrators

ArcGIS Server SiteArcGIS Server Site

Multi Tiered Security ModelMulti Tiered Security Model

Web Web UsersUsers

Web Server Web Server

GeodatabasesGeodatabases

SOM/SOC SOM/SOC

Local Local and and

Admin Admin UsersUsers

Web Web UsersUsers

Database Database UsersUsers

Arc GIS Server System Arc GIS Server System

Local and Admin users are defined Local and Admin users are defined by the by the agsusersagsusers and agsadmin and agsadmin

operating system groups. operating system groups.

The users and roles of the Web The users and roles of the Web GIS System are defined using GIS System are defined using

Manager. Manager.

GIS Server GIS Server

Security overview

• ArcGIS Server 9.3 has role-based access control• Security features use ASP.NET security framework

– Internet Information Server (IIS)– ASP.NET

• Membership and role framework– Uses platform standards for user and role storage

• Features added at 9.3 to support security– Token service– GIS service permissions stored in the SOM

Security overview

• Focus here is on access control– Which users can access particular

services and applications

• Remember other security tasks– Security during transmission– Operating system – updates, virus

protection– Code – SQL injection, cross-site

scripting, etc.– Physical security– User education – phishing, etc.

Security model

Browser/DesktopApplications

WebWeb

Permission Store

(for services)

SOMSOM

Web serverWeb server

GIS Services

Web servicehandler

Tokenservice

Web applications

Manager

Principal Store

(Users & Roles)

View/Edit

Authenticate

Authenticate

Authorize

Edit

Steps to securing services and applications1. Decide where users and roles will be stored2. Install supporting items as needed

– SQL Server (Express)– Secure Sockets Layer (SSL) certificate for Web server

3. Configure security in Manager– Configure location for users and roles– Add and manage users and roles

4. Secure Web application(s) using Manager*- and/or -

5. Secure GIS Web services using Manager

Adapted from ArcGIS Server Help, “Internet security checklist”

*or other toolsfor customapplications

Decide where users and roleswill be stored• Options for ArcGIS Server for Microsoft .NET

Frameworka) Windows users and groupsb) Microsoft SQL Serverc) Custom provider

• User and role store usually same place, but can have– Windows users + SQL Server roles– Windows users + roles in custom provider– SQL Server users + roles in custom provider

User and role store options:a) Windows users and groups• Local accounts on the Web

server, or accounts on the domain– Can also have roles in SQL Server

or custom provider

• Typically used on intranets • Can have automatic login with

Internet Explorer– User’s logged-on identity passed

over intranet with Integrated Windows Authentication

User and role store options:b) SQL Server• SQL Server Express or

full version– Express version included on

installation CD

• Users and roles stored in database tables

• Membership and role database can be created by Manager

User and role store options:c) Custom provider• Enables other options for users and

roles– Other databases (Oracle, etc.)– XML file– LDAP, Active Directory, etc.

• Using the standard ASP.NET membership provider framework

• How?– Acquire and configure a .NET membership

provider

• See ArcGIS Server Help for details

Oracle

XML

How will users be authenticated?

• Authentication = verify identity of the user

• Options– IIS-controlled (“Windows”) authentication

• Web server authenticates the user• Includes Basic, Digest, Integrated Windows

– Forms authentication• User logs in with a form on a Web page• For Web applications only

– ArcGIS Server Token-based authentication• For GIS services only• More on Token service later

Authentication methods available for user stores

IIS-controlled

Custom provider

SQL Server

*Windows users

Forms (applications only)

Tokens (services only)Integrated

WindowsHTTP Digest

HTTP Basic

User store location

* = only with roles in SQL Server

Authentication with Windows users

• Integrated Windows Authentication (IWA)– Automatically authenticates the logged-in Windows user– Only feasible over an intranet– May be the default method in IIS

• HTTP Basic– Use SSL/https to encrypt credentials

• HTTP Digest– Protects credentials from capture, though SSL may be

recommended

• Token-based authentication– Currently supported only when roles in SQL Server

Install supporting items for security

• User/role store software– None needed if users and roles will be Windows operating

system users and groups– Microsoft SQL Server

• Full or Express version • Express version included with ArcGIS Server

– Custom provider• Install any required software and data• Add provider elements into the Security configuration file• See ArcGIS Server Help for information

Custom user/role store –only if add provider toSecurity config file

Install supporting items for security(continued)• Secure Sockets Layer (SSL) certificate

– Enables using HTTPS on the Web server– Necessary unless users are Windows users

• AND set authentication on Web service/application to Integrated Windows authentication

– HTTPS required by default for token service– See ArcGIS Server Help for tips on acquiring certificate

Configure security in Manager

• Set the location for user and role stores– Security Settings

Change– Use wizard to

configure location

Configure security in Manager(continued)

• Add/edit users and roles– With SQL Server, you

can add/edit in Manager– With Windows users, use

operating system tools– Custom provider depends on

the provider• Password strength

– Manager requires password of 7+ characters and 1+ non-alphanumeric

• This default can be changed

• Add users to roles– Permissions are role-based

Demo

Configuring security in Manager

Secure Web application(s) with Manager• Security button in

Manager Applications• Enable security• Add permitted role(s)

– Notice role-based security, not user-based

• Permission rules are stored in the application– Web.config -

<authorization> element

Using a secured Web application

• User will be prompted to login– Login.aspx page when

users in SQL Server or custom provider

– Pop-up dialog with Windows users

• Application page– Displays login name– Logout link

• When logged in with forms authentication

Demo

Securing a Web application with Manager

Controlling application content based on role

• Question: How can I show or hide content depending on the role?– Tools, tasks, layers, map, etc.

• Answer: Same approach as at 9.2– Developer must add code:

• Get user’s role• Remove or add content

depending on role– See sample in Developer Kit

• “Common_Security”

Demo

Modifying Web application content based on user’s role

UC 2007 Tech SessionsUC 2007 Tech Sessions 3131

Securing GIS Web services - overview

• ArcGIS Server 9.3 has a role-based security model– Permissions on folders and individual services– Services inherit permissions from containing folder

• Security for a GIS service applies to all supported Web interfaces– SOAP, REST, OGC, KML

• Desktop, JavaScript and Web ADF applications can consume secure services

• Services Explorer respects service permissions• Same security for both .NET and Java versions

Securing local connections to GIS services

• Two ways to connect to an ArcGIS Server service

1. Local connection– Works only on intranets– Access to all server functionality– Security at 9.3 is same as at 9.2

– User must be a member of the agsusers or agsadmin groups

2. Web service connections– SOAP, REST, WMS, KML– Works on intranets and over Internet– New security options apply here

Securing GIS Web services

• Permissions buttonfor services andfor folders

• Services inherit folder permissions– Good practice to

secure folders• Add permitted role(s)• Permissions are

stored in the SOM

Warning – Access restrictions not

actually applied yet.

Securing GIS Web services (continued)

• Special roles for GIS Web services– Everyone: all users permitted whether provide login

or not– Authenticated Users: users who provide a valid

login– Anonymous: users who do not provide a login

• Only with SQL Server or custom provider– For SQL Server, Manager can add these roles when

configuring roles– For custom provider, role names must be added

separately• See ArcGIS Server Help for naming and details

Securing GIS Web services (continued)

• Security for services is set separately from permissions– Security-Settings tab

• Security is applied to all services, not individually

• Set permissions before you enable security

• Cannot disable security in Manager

Using secured services

• ArcGIS Desktop, ArcGIS Explorer– Provide user name and

password in the connection dialog

• Web applications– Manager: use “Access

secured services”– Visual Studio: add identity in

the resource manager• SOAP, REST and

JavaScript clients– Use token or Windows

authentication– More on this shortly

Server API for permissions

• For server object extension developers– Code makes local connection as

agsusers/agsadmin– May want to restrict end user access to

services based on user login

• SOM implements interfaces for security– IPermissionsManager

• Methods to query permissions for services/folders

• User identity pushed to Server Context– Available to SOE developers

• See Library Reference – Server overview

Demo

1. Securing GIS Web services with Manager

2. Consuming a secured service in Desktop

Using the Token service

• New service installed with ArcGIS Web instance• Why was it added?

– Enables users to be stored in location other than operating system

– Provides a secure mechanism to authenticate the user– Enables authentication for JavaScript/REST-based

applications– Will enable a single server for authentication in a federated

system (post 9.3 final)

• Used only with GIS Web services– Not used by default with Windows users– Not used to authenticate Web application users

How does the Token service work?

ArcGIS Desktop

Permission Store

(for services)

SOMSOM

Web serverWeb server

GIS Services

Web servicehandler

Tokenservice

Principal Store

(Users & Roles)

1. Client requestsservice2. Server: tokenrequired

3. Clientrequeststoken

4. Credentialsvalidated

6. Client requestswith token 5. Server

returnstoken

7. Server gets user’s rolesand authorizes roles

8. Server returnsservice data

What is in a Token?

• Token is a string with encrypted information:– User name– Expiration time– Optional: ID of the client

• IP address or Web URL (HTTP Referrer)• If included, expiration can be a longer time period (weeks/months)

– Used by most clients – Desktop, ADF, JavaScript/REST applications, etc.

• If not included, shorter expiration time – needs to be renewed

Working with the Token service

• Most clients will work with tokens automatically– Desktop (ArcMap, ArcCatalog, ArcGlobe) and Engine– ArcGIS Explorer– Web ADF (.NET and Java) and Mobile ADF

• Some clients will require explicit token management– SOAP-based clients not using ADF

• Use server-side code to acquire and use token• See Developer Help for details and examples

– JavaScript/REST clients• Developer obtains a token from get-token

Web page • Developer embeds token in the Web

application code

Working with the Token service (continued)

• Some clients will require explicit token management– SOAP-based clients not using ADF

• Use server-side code to acquire and use token• See Developer Help for details and examples

– JavaScript/REST clients• Developer obtains a token from get-token

Web page • Developer embeds token in the Web

application code

Working with the Token service(continued)• GIS service can provide the Token service URL• Requesting a token

– Requires HTTPS by default– Example:

https://myserver/arcgis/tokens?request=getToken&username=myUser&password=secret&clientId=ip.127.0.0.1&expiration=120

• Using a token– Append the token to the URL of the server– Example:

http://myserver/arcgis/services/USA/MapServer?token=hpWKwqlTkOKiQipeXmyKQLLDOSZBRjGpp%...

• Refreshing the token– If token may expire, include code to renew it– Server returns HTTP error code of 498 for expired token

Demo

Using tokens in a SOAP client

Security resources for 9.3

• Server Help• Developer Help• Help for JavaScript APIs

– ArcGIS JavaScript– Virtual Earth– Google Maps

Summary

• Manager at 9.3 enables users to– Configure user and role stores– Secure Web applications– Secure GIS Web services

• Clients work with security– Desktop, Engine and Web ADF work seamlessly– SOAP and JavaScript clients may require working with tokens

In ConclusionIn Conclusion……

•• All sessions are recorded and will be available on EDNAll sessions are recorded and will be available on EDN–– Slides and code will also be availableSlides and code will also be available

•• Please fill out session surveys!Please fill out session surveys!

•• Still have questions?Still have questions?1.1. Tech talkTech talk2.2. ““Ask a DeveloperAsk a Developer”” link on web pagelink on web page

•• www.esri.com/devsummit/techquestionswww.esri.com/devsummit/techquestions


implementing security for arcgis server for the …...–internet information server (iis)...

Documents