implementing security for arcgis server java solutions - esri
TRANSCRIPT
Implementing Security for ArcGIS Server Java Implementing Security for ArcGIS Server Java SolutionsSolutionsSolutionsSolutions
Shreyas ShindeShreyas Shinde
IntroductionsIntroductions
•• Who are we?Who are we?––Developers for ArcGIS Server Developers for ArcGIS Server –– Java Java
•• Who are you?Who are you?––ArcGIS Server developersArcGIS Server developerspp––Web developersWeb developers––GIS Administrators for ArcGIS ServerGIS Administrators for ArcGIS Server–– IT/System ArchitectsIT/System Architects–– IT/System ArchitectsIT/System Architects
AgendaAgenda
•• 9.3 Security model9.3 Security modelyy–– IntroductionIntroduction––ConfigurationConfiguration
UseUse––UseUse
•• Extending & advanced configurationsExtending & advanced configurationsg gg g––FileStoreFileStore––LDAP over SSLLDAP over SSL
•• Securing your siteSecuring your site––Using reverse proxiesUsing reverse proxies––Tips & troubleshootingTips & troubleshooting
A Secure ArcGIS Server SiteA Secure ArcGIS Server Site
LAN protected by a FirewallDMZ
Web Server
Local Local Connection Connection ––Local UsersLocal Users
ArcGIS Server
Mobile Mobile DeviceDevice ManagerManager
Internet Internet Connection Connection ––Web UsersWeb Users
Local UsersLocal Users
GIS ServerSOMSOM
SOCSOC
InternetInternet(HTTP)(HTTP)
Web Web ApplicationApplication
ReverseProxy
SOCSOC SOCSOCApplicationApplication
ArcCatalogArcCatalog
DataDesktop Clients Desktop Clients (ArcGIS Explorer, (ArcGIS Explorer, ArcGIS Desktop, ArcGIS Desktop,
ArcGIS DesktopArcGIS DesktopArcGIS Engine)ArcGIS Engine) ArcGIS Desktop ArcGIS Desktop Content AuthorContent Author
IntroductionIntroduction
•• Securing your GIS services and Web applicationsSecuring your GIS services and Web applicationsg y ppg y pp––Java EE (provided by application servers)Java EE (provided by application servers)––ArcGIS managed (introduced at 9.3)ArcGIS managed (introduced at 9.3)
•• Java EE securityJava EE security––UI driven through ManagerUI driven through Managerg gg g––No more opening/editing contents of WAR fileNo more opening/editing contents of WAR file
•• ArcGIS managedArcGIS managed•• ArcGIS managedArcGIS managed––UI driven through ManagerUI driven through Manager––Role based access controlRole based access control––Works seamlessly with JavaScript /Flex clientsWorks seamlessly with JavaScript /Flex clients
Terms and Terms and ConceptsConcepts
•• Principal (User)Principal (User)–– Individual consuming published functionalityIndividual consuming published functionality
•• RoleRole–– Group of individuals with some privilegeGroup of individuals with some privilege
•• PermissionPermissionP i il t t iP i il t t i–– Privilege to access certain resourcePrivilege to access certain resource
•• AuthenticationAuthenticationValidating credentials of the individual and establishing identityValidating credentials of the individual and establishing identity–– Validating credentials of the individual and establishing identityValidating credentials of the individual and establishing identity
•• AuthorizationAuthorization–– Evaluating privileges of an individual based on permissionEvaluating privileges of an individual based on permission–– Evaluating privileges of an individual based on permissionEvaluating privileges of an individual based on permission
ArcGIS Managed Security ArcGIS Managed Security -- ComponentsComponents
•• User and Role Store (Principal Store)User and Role Store (Principal Store)( p )( p )––Data store of user and role information (example: username, Data store of user and role information (example: username,
password, roles, etc)password, roles, etc)––APIs to access this informationAPIs to access this information––APIs to access this informationAPIs to access this information
•• Permission Permission Store (engine)Store (engine)––Data store of permissions assigned to a roleData store of permissions assigned to a role––APIs to access this informationAPIs to access this information
•• ArcGIS Token ArcGIS Token ServiceService––Web service that issues a tokenWeb service that issues a token
ArcGIS Managed Security for GIS ServicesArcGIS Managed Security for GIS Services
•• Access is role basedAccess is role based––Permissions are assigned to rolesPermissions are assigned to roles––Authorization based on the roles a user playsAuthorization based on the roles a user plays
•• Requires tokensRequires tokens––A token needs to be appended to the URL when accessing a A token needs to be appended to the URL when accessing a pp gpp g
secured GIS Servicesecured GIS Service––Tokens are acquired from a ArcGIS Token Service by providing Tokens are acquired from a ArcGIS Token Service by providing
‘username’ and ‘password’‘username’ and ‘password’––Desktop clients and Web Mapping Application (built using Desktop clients and Web Mapping Application (built using
Manager) can automatically fetch tokens and use themManager) can automatically fetch tokens and use them
•• Administration through ManagerAdministration through Manager
Managing User and Roles for ArcGIS SecurityManaging User and Roles for ArcGIS Security
•• Administrator can configure the storage of user and Administrator can configure the storage of user and g gg groles using ArcGIS Managerroles using ArcGIS Manager
––Manage user and role informationManage user and role information
ArcGIS Server Token Web
Service
SOM
Server Manager Service Service
Handler
User/RoleStore
SOM
PermissionPermissionStoreStore
GISGISserviceservice
ArcGIS Server
DemoDemo
•• Configure storeConfigure storegg
•• Manage users Manage users and rolesand roles
User and Role Store User and Role Store –– Out of the boxOut of the box
R O L E S T O R A G E
U S
E
Default Default ApacheApacheDerby (R/W)Derby (R/W)
External DB External DB (R/W)(R/W) LDAP (R)LDAP (R)
MSMS--Active Active Directory Directory (R)(R)
R/W = read & writeR = read only
E R
S
Default Apache Default Apache Derby (R/W)Derby (R/W) Allowed X X X
T O
R A
External DB External DB (R/W)(R/W) X Allowed X X
LDAP (R)LDAP (R) All d All d All d X
A G
E
LDAP (R)LDAP (R) Allowed Allowed Allowed X
MSMS--Active Active Di t (R)Di t (R) Allowed Allowed X AllowedDirectory (R)Directory (R)
Also see the section: Extending and Customization
ArcGIS Token ServiceArcGIS Token Service
•• A Web service that grants tokens (part of ArcGIS A Web service that grants tokens (part of ArcGIS g (pg (pManaged security)Managed security)
––Authenticates the user requesting a tokenAuthenticates the user requesting a token
•• Connected to the user storeConnected to the user store––Configured through ManagerConfigured through ManagerConfigured through ManagerConfigured through Manager
•• Should be deployed on a SSL portShould be deployed on a SSL port
•• gettoken.html page gettoken.html page –– UI for fetching tokens for UI for fetching tokens for JavaScript/Flex developersJavaScript/Flex developersJavaScript/Flex developersJavaScript/Flex developers
ArcGIS Managed Security for GIS Services ArcGIS Managed Security for GIS Services –– Internals Internals
•• Web applications wantsWeb applications wants Webppppto consume a securedto consume a securedGIS serviceGIS service
Web Application
Web(https)
ArcGIS Server Token Web
Service
SOM
Server Manager Service Service
Handler
User/RoleStore
SOM
PermissionPermissionStoreStore
GISGISserviceservice
ArcGIS Server
ArcGIS Managed Security for GIS Services ArcGIS Managed Security for GIS Services –– InternalsInternals
•• Web application makesWeb application makes Webppppa request to the URL ofa request to the URL ofthe service (without athe service (without a
Web Application(https)
token)token)ArcGIS Server Token Web
Service
SOM
Server Manager Service Service
Handler
User/RoleStore
SOM
PermissionPermissionStoreStore
GISGISserviceservice
ArcGIS Server
ArcGIS Managed Security for GIS Services ArcGIS Managed Security for GIS Services –– InternalsInternals
•• Web service handler returns Web service handler returns Web
a token required error buta token required error butprovides the URL of theprovides the URL of the
Web Application(https)
URL
Token ServiceToken ServiceArcGIS Server Token Web
Service
SOM
Server Manager Service Service
Handler
User/RoleStore
SOM
PermissionPermissionStoreStore
GISGISserviceservice
ArcGIS Server
ArcGIS Managed Security for GIS Services ArcGIS Managed Security for GIS Services –– InternalsInternals
•• Web application requestsWeb application requests Webpp qpp qa token by providing usera token by providing usercredentialscredentials
Web Application(https)
ArcGIS Server Token Web
Service
SOM
Server Manager Service Service
Handler
User/RoleStore
SOM
PermissionPermissionStoreStore
GISGISserviceservice
ArcGIS Server
ArcGIS Managed Security for GIS Services ArcGIS Managed Security for GIS Services –– InternalsInternals
•• Token Service authenticatesToken Service authenticates Web
the user credentialsthe user credentials (https)Web Application
ArcGIS Server Token Web
Service
User/RoleStore
SOM
Server Manager Service Service
Handler
SOM
PermissionPermissionStoreStore
GISGISserviceservice
ArcGIS Server
ArcGIS Managed Security for GIS Services ArcGIS Managed Security for GIS Services –– InternalsInternals
•• If user is authenticated,If user is authenticated, Web,,token is issuedtoken is issued
Web Application(https)
ArcGIS Server Token Web
Service
User/RoleStore
SOM
Server Manager Service Service
Handler
SOM
PermissionPermissionStoreStore
GISGISserviceservice
ArcGIS Server
ArcGIS Managed Security for GIS Services ArcGIS Managed Security for GIS Services –– InternalsInternals
•• Web application connectsWeb application connects Webppppto the URL of the GISto the URL of the GISservice with a tokenservice with a token
(https)Web Application
ArcGIS Server Token Web
Service
SOM
Server Manager Service Service
Handler
User/RoleStore
SOM
PermissionPermissionStoreStore
GISGISserviceservice
ArcGIS Server
ArcGIS Managed Security for GIS Services ArcGIS Managed Security for GIS Services –– InternalsInternals
•• Web service handlerWeb service handler Web
validates the token &validates the token &looks up the roles for thelooks up the roles for the
Web Application(https)
useruserArcGIS Server Token Web
Service
SOM
Server Manager Service Service
Handler
User/RoleStore
SOM
PermissionPermissionStoreStore
GISGISserviceservice
ArcGIS Server
ArcGIS Managed Security for GIS Services ArcGIS Managed Security for GIS Services –– InternalsInternals
•• Web service handler passesWeb service handler passes Webpproles for the user to theroles for the user to thepermission store for permission store for
Web Application(https)
authorizationauthorizationArcGIS Server Token Web
Service
SOM
Server Manager Service Service
Handler
User/RoleStore
SOM
PermissionPermissionStoreStore
GISGISserviceservice
ArcGIS Server
ArcGIS Managed Security for GIS Services ArcGIS Managed Security for GIS Services –– InternalsInternals
•• Permission store enginePermission store engine Webggwill authorize the requestwill authorize the request
Web Application(https)
ArcGIS Server Token Web
Service
SOM
Server Manager Service
User/RoleStore
Service Handler
SOM
PermissionPermissionStoreStore
GISGISserviceservice
ArcGIS Server
ArcGIS Managed Security for GIS Services ArcGIS Managed Security for GIS Services –– InternalsInternals
•• If authorization isIf authorization is Web
successful, the requestedsuccessful, the requestedGIS service is returnedGIS service is returned
Web Application(https)
ArcGIS Server Token Web
Service
SOM
Server Manager Service Service
Handler
User/RoleStore
SOM
PermissionPermissionStoreStore
GISGISserviceservice
ArcGIS Server
ArcGIS Managed Security for GIS Services ArcGIS Managed Security for GIS Services –– InternalsInternals
•• Web application canWeb application can Webppppthen connect/consumethen connect/consumethe GIS servicethe GIS service
Web Application(https)
ArcGIS Server Token Web
Service
SOM
Server Manager Service
User/RoleStore
Service Handler
SOM
PermissionPermissionStoreStore
GISGISserviceservice
ArcGIS Server
DemoDemo
•• Assigning permissionsAssigning permissionsg g pg g p
DemoDemothrough Web applicationthrough Web application
•• Consuming securedConsuming securedggservicesservices
through ArcCatalogthrough ArcCatalogthrough ArcCatalogthrough ArcCatalog
JavaScript Applications Consuming Secured ServicesJavaScript Applications Consuming Secured Services
•• JavaScript embeds a token instead of user credentialsJavaScript embeds a token instead of user credentialspp
•• Simple workflow for the developerSimple workflow for the developer––Build your applicationBuild your application––Fetch a token from ArcGIS Token ServiceFetch a token from ArcGIS Token Service––Append the token to the URLAppend the token to the URLAppend the token to the URLAppend the token to the URL
var map = new esri.Map(“mymap”);
var layer = new i l i i ( h // hi 83esri.layers.ArcGISDynamicMapServiceLayer(“http://machine:83
99/arcgis/rest/services/usa/MapServer?token=ksdfsfsirteueimlskdmcwkck”);
map.addLayer(layer);map.addLayer(layer);
DemoDemo
•• JavaScript application consuming a secured serviceJavaScript application consuming a secured servicep pp gp pp g
ArcGIS Managed Security for Web ApplicationsArcGIS Managed Security for Web Applications
•• Application can be secured using ArcGIS ManagerApplication can be secured using ArcGIS Managerpp g gpp g g––Web application creator set the permissionsWeb application creator set the permissions––User and role store can be configured using ArcGIS ManagerUser and role store can be configured using ArcGIS Manager
•• Web application is secured using login controlWeb application is secured using login control––The login web page can be customizedThe login web page can be customizedg p gg p g
DemoDemoSecuring the web applicationSecuring the web application
Secure web application loginSecure web application login
Extending and CustomizationExtending and Customization
•• Out of the box support for:Out of the box support for:pppp––Relational DatabasesRelational Databases––LDAPLDAP
Active DirectoryActive Directory––Active DirectoryActive Directory
•• You can write custom membership providers if:You can write custom membership providers if:––None of the above schemes meet your storage needsNone of the above schemes meet your storage needs––Have data in a proprietary formatHave data in a proprietary format––Want to authenticate using other toolsWant to authenticate using other tools––Want to authenticate using other toolsWant to authenticate using other tools
•• You need to implement the You need to implement the SecurityStoreSecurityStore Java Java interface provided by ArcGISinterface provided by ArcGIS
DemoDemo
•• FileStore FileStore –– user/role storage in an XML fileuser/role storage in an XML filegg
User and Role Store User and Role Store –– Advanced ConfigurationAdvanced Configuration
•• Connecting to LDAP over SSL (ldaps)Connecting to LDAP over SSL (ldaps)g ( p )g ( p )
––Server sideServer side•• Enable ldaps (usually port 636) on the LDAP serverEnable ldaps (usually port 636) on the LDAP server•• Generate the public & private keysGenerate the public & private keys•• Get the public key signed by a CAGet the public key signed by a CA•• Import the signed certificate into the keystoreImport the signed certificate into the keystore
––Client sideClient side•• If certificates are self signed If certificates are self signed –– import selfimport self--signed certificate of the signed certificate of the
Server into the JRE’s certificate store Server into the JRE’s certificate store •• Restart ArcGIS components (Manager Service, Service Handlers Restart ArcGIS components (Manager Service, Service Handlers
etc)etc)etc)etc)
SSL BasicsSSL Basics
•• Server proves its identity, data transfer is encryptedServer proves its identity, data transfer is encryptedp y, ypp y, yp
•• Uses asymmetric key cryptography for handshakingUses asymmetric key cryptography for handshaking––Public and private keysPublic and private keys––CA signs the public keys, public keys are shared with clientsCA signs the public keys, public keys are shared with clients––Encrypting data with the public key and then decrypting it isEncrypting data with the public key and then decrypting it isEncrypting data with the public key and then decrypting it is Encrypting data with the public key and then decrypting it is
usually an expensive operation (hence the use of fast usually an expensive operation (hence the use of fast symmetric keys)symmetric keys)
•• Uses symmetric key to encrypt the contents sent over Uses symmetric key to encrypt the contents sent over the wire for the duration of the sessionthe wire for the duration of the session
––More efficient way of encrypting instead of using public/private More efficient way of encrypting instead of using public/private keyskeys
SSL Basics SSL Basics –– The handshakeThe handshake
{Hello}
Client Server
{[Symmetric Key] x Public Key}
{ACK + Public Key}
If client accepts the Server’s Public Key…
{[Symmetric Key] x Public Key}
{[OK] x Symmetric Key}
CertificateStore
KeyStore
Server uses its private key to decrypt message
{[OK] x Symmetric Key}
{[Request] x Symmetric Key}
{[Response] x Symmetric Key}...
DemoDemo
•• Connecting to LDAP over SSLConnecting to LDAP over SSLgg––ApacheDS 1.5.1ApacheDS 1.5.1––keytool keytool –– Java tool to manage cryptographic keys and Java tool to manage cryptographic keys and
certificatescertificatescertificatescertificates––ArcGIS ManagerArcGIS Manager
•• Troubleshooting tipTroubleshooting tip––Use this JVM argument: Use this JVM argument: --Djavax.net.debugDjavax.net.debug==sslssl
A Secure ArcGIS Server SiteA Secure ArcGIS Server Site
LAN protected by a FirewallDMZ
Web Server
Local Local Connection Connection ––Local UsersLocal Users
ArcGIS Server
Mobile Mobile DeviceDevice ManagerManager
Internet Internet Connection Connection ––Web UsersWeb Users
Local UsersLocal Users
GIS ServerSOMSOM
SOCSOC
InternetInternet(HTTP)(HTTP)
Web Web ApplicationApplication
ReverseProxy
SOCSOC SOCSOCApplicationApplication
ArcCatalogArcCatalog
DataDesktop Clients Desktop Clients (ArcGIS Explorer, (ArcGIS Explorer, ArcGIS Desktop, ArcGIS Desktop,
ArcGIS DesktopArcGIS DesktopArcGIS Engine)ArcGIS Engine) ArcGIS Desktop ArcGIS Desktop Content AuthorContent Author
Securing Your SiteSecuring Your Site
•• Host application servers within the firewall protected Host application servers within the firewall protected pp ppp pLANLAN
•• Use a reverse proxy server to expose functionality to Use a reverse proxy server to expose functionality to the Internetthe Internet
––Hides app serverHides app serverHides app serverHides app server•• Client is not aware of the internal server specificsClient is not aware of the internal server specifics
––Can do SSL instead of app serverCan do SSL instead of app server•• No SSL between reverse proxy and app serverNo SSL between reverse proxy and app server•• No SSL between reverse proxy and app serverNo SSL between reverse proxy and app server
––Load balancingLoad balancing•• Can toggle requests between multiple app serversCan toggle requests between multiple app servers
C hi tC hi t––Caching, etc.Caching, etc.
DemoDemo
•• Setting up a reverse proxy server using Apache Web Setting up a reverse proxy server using Apache Web g p p y g pg p p y g pServerServer
Reverse Proxy with ApacheReverse Proxy with Apache
•• Download the Apache Web server from Download the Apache Web server from pphttp://httpd.apache.orghttp://httpd.apache.org
•• Following modules are required:Following modules are required:––mod_proxymod_proxy––mod proxy httpmod proxy httpmod_proxy_httpmod_proxy_http––mod_headersmod_headers––mod_deflatemod_deflate
d ht ld ht l ( il bl t( il bl t htt // h bthihtt // h bthi ))––mod_proxy_htmlmod_proxy_html (available at (available at http://apache.webthing.comhttp://apache.webthing.com) ) ……
KB: http://support.esri.com/index.cfm?fa=knowledgebase.techarticles.articleShow&d=35948
Reverse Proxy with Apache Reverse Proxy with Apache –– Cont’dCont’d
•• Make buildsMake builds$./configure $./configure ––enableenable--so so ––enableenable--modsmods--shared=“proxy shared=“proxy proxy_httpproxy_http
proxy_connectproxy_connect headers deflate” headers deflate” ––prefix=/prefix=/usrusr/local/apache2/local/apache2$make$make$make$make$make install$make install$$apxsapxs ––c c ––I/I/usrusr/include/libxml2 /include/libxml2 ––ii mod_proxy_html.cmod_proxy_html.c
•• Load the modules into Apache Load the modules into Apache –– httpd.confhttpd.confLoadModuleLoadModule proxy moduleproxy module modules/mod proxy.somodules/mod proxy.soLoadModuleLoadModule proxy_moduleproxy_module modules/mod_proxy.somodules/mod_proxy.soLoadModuleLoadModule proxy_httpproxy_http modules/mod_proxy_http.somodules/mod_proxy_http.soLoadFileLoadFile //usrusr/lib/libxml2.so/lib/libxml2.soLoadModuleLoadModule proxy html moduleproxy html module modules/mod proxy html somodules/mod proxy html soLoadModuleLoadModule proxy_html_moduleproxy_html_module modules/mod_proxy_html.somodules/mod_proxy_html.so……
Reverse Proxy with Apache Reverse Proxy with Apache –– Cont’dCont’d
•• ProxyPassProxyPass & & ProxyPassReverseProxyPassReverse directives directives –– httpd.confhttpd.confyy && yy ppProxyPassProxyPass //arcgisarcgis/services http://internal:8399/arcgis/services /services http://internal:8399/arcgis/services ProxyPassReverseProxyPassReverse //arcgisarcgis/services /services http://internal:8399/arcgis/serviceshttp://internal:8399/arcgis/services
ProxyPassProxyPass //arcgisarcgis/rest http://internal:8399/arcgis/services /rest http://internal:8399/arcgis/services ProxyPassReverseProxyPassReverse //arcgisarcgis/rest /rest http://internal:8399/arcgis/serviceshttp://internal:8399/arcgis/services
ProxyPassProxyPass //arcgisarcgis/tokens http://internal:8399/arcgis/services /tokens http://internal:8399/arcgis/services ProxyPassReverseProxyPassReverse //arcgisarcgis/tokens /tokens http://internal:8399/arcgis/serviceshttp://internal:8399/arcgis/services
•• References with an HTML page returned by the server will References with an HTML page returned by the server will be rebe re--written by the written by the mod_htmlmod_html modulemodule
U f t t l it d tU f t t l it d t it XML/WSDLit XML/WSDL–– Unfortunately, it does not reUnfortunately, it does not re--write XML/WSDLswrite XML/WSDLs
Tips & TroubleshootingTips & Troubleshooting
•• User/Role storeUser/Role store––LDAP, Active Directory are treated as readLDAP, Active Directory are treated as read--only stores. Cannot only stores. Cannot
use ArcGIS Manager to edit information in themuse ArcGIS Manager to edit information in them––When connecting to a database add the JDBC driver (JAR file)When connecting to a database add the JDBC driver (JAR file)––When connecting to a database, add the JDBC driver (JAR file) When connecting to a database, add the JDBC driver (JAR file)
into /into /arcgisarcgis/java/manager//java/manager/configconfig/security/lib directory/security/lib directory
T k S iT k S i•• Token ServiceToken Service––Should run on an SSL port (install certificates in components Should run on an SSL port (install certificates in components
that need to communicate with the service)that need to communicate with the service)––Windows Vista has IPv6 enabled by default Windows Vista has IPv6 enabled by default –– use the correct IP use the correct IP
version when requesting tokens (IPv4 version when requesting tokens (IPv4 vsvs IPv6)IPv6)––Set the token expiration time to something appropriate Set the token expiration time to something appropriate ––
balance between security & performancebalance between security & performance––Store the shared key securelyStore the shared key securely
Tips & TroubleshootingTips & Troubleshooting
•• Consuming secured GIS servicesConsuming secured GIS servicesgg––ArcGIS Manager & Desktop will warn when the token service is ArcGIS Manager & Desktop will warn when the token service is
not running on SSL portnot running on SSL port––Only tokens issued by ArcGIS Token Service are considered toOnly tokens issued by ArcGIS Token Service are considered to––Only tokens issued by ArcGIS Token Service are considered to Only tokens issued by ArcGIS Token Service are considered to
be valid tokens be valid tokens –– cannot use tokens from other entitiescannot use tokens from other entities
Wh iWh i•• When using a reverse proxyWhen using a reverse proxy––JavaScript /Flex developers should not use the IP address JavaScript /Flex developers should not use the IP address
mechanism to lock their tokens (the client IP is not visible to mechanism to lock their tokens (the client IP is not visible to the server) the server) –– use HTTP referrer/URL methoduse HTTP referrer/URL method
––WSDL exposed by a service has reference to the internal WSDL exposed by a service has reference to the internal server’s URL server’s URL –– need to use an XML reneed to use an XML re--writer in the reverse writer in the reverse proxy, ability will be provided at post 9.3.1proxy, ability will be provided at post 9.3.1
Tips & Troubleshooting Tips & Troubleshooting –– Cont’dCont’d
•• Enabling/Disabling security for GIS ServicesEnabling/Disabling security for GIS Servicesg g yg g y––Services will be “locked down” by default when security is Services will be “locked down” by default when security is
enabled enabled –– access based on permissionsaccess based on permissions––Disabling security is multiple stepsDisabling security is multiple steps –– read documentationread documentation––Disabling security is multiple steps Disabling security is multiple steps –– read documentationread documentation
Q&AQ&A
•• Tech Talk Area: Mesquite ATech Talk Area: Mesquite Aqq
ConclusionConclusion
•• Secure your GIS services and Web applications using Secure your GIS services and Web applications using y pp gy pp gArcGIS managed or ArcGIS managed or JavaEEJavaEE securitysecurity
•• Seamlessly consume secured services in Seamlessly consume secured services in JavaScript/Flex application using tokensJavaScript/Flex application using tokens
•• Think about all the aspects of security for your site. Think about all the aspects of security for your site. Don’t make it an afterthoughtDon’t make it an afterthought
ResourcesResources
•• 9.3 Security Model Documentation9.3 Security Model Documentationyyhttp://webhelp.esri.com/arcgisserver/9.3/java/security_concepts.http://webhelp.esri.com/arcgisserver/9.3/java/security_concepts.
htmhtmhttp://resources esri com/help/9 3/arcgisserver/apis/flex/help/indhttp://resources esri com/help/9 3/arcgisserver/apis/flex/help/indhttp://resources.esri.com/help/9.3/arcgisserver/apis/flex/help/indhttp://resources.esri.com/help/9.3/arcgisserver/apis/flex/help/ind
ex.html#whats_new.htmex.html#whats_new.htm –– Flex APIFlex API•• Setting up SSL for ApacheDSSetting up SSL for ApacheDS
http://directory.apache.org/apacheds/1.5/33http://directory.apache.org/apacheds/1.5/33--howhow--toto--enableenable--ssl.htmlssl.html
•• Sun’s ‘Sun’s ‘keytoolkeytool’ ’ –– tool to manage keys and certificatestool to manage keys and certificatesyy g yg yhttp://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.htmlhttp://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html
•• Reverse proxy using ApacheReverse proxy using Apachehtt // h t t / d i / ihtt // h t t / d i / ihttp://www.apachetutor.org/admin/reverseproxieshttp://www.apachetutor.org/admin/reverseproxies
Want to Learn More?Want to Learn More?ESRI Training and Education ResourcesESRI Training and Education Resources
•• InstructorInstructor--Led TrainingLed TrainingDeveloping Applications with ArcGIS Server Using the JavaDeveloping Applications with ArcGIS Server Using the JavaDeveloping Applications with ArcGIS Server Using the Java Developing Applications with ArcGIS Server Using the Java
PlatformPlatform
F W b T i i S iF W b T i i S i•• Free Web Training SeminarsFree Web Training SeminarsBuilding Applications with ArcGIS Server Using the Java Building Applications with ArcGIS Server Using the Java
PlatformPlatformImplementing Security for ArcGIS Server 9.3 Java SolutionsImplementing Security for ArcGIS Server 9.3 Java Solutions
http://www.esri.com/traininghttp://www.esri.com/training