securing arcgis server for the microsoft .net framework ... · esri. uc 2007 tech sessions 2...
TRANSCRIPT
UC 2007 Tech SessionsUC 2007 Tech Sessions 11
Securing ArcGIS Server Securing ArcGIS Server for the Microsoft .NET Frameworkfor the Microsoft .NET Framework
Bryan BakerBryan BakerKevin DoshierKevin Doshier
ESRIESRI
UC 2007 Tech SessionsUC 2007 Tech Sessions 22
Securing ArcGIS Server Securing ArcGIS Server for the Microsoft .NET Frameworkfor the Microsoft .NET Framework
Bryan BakerBryan BakerKevin DoshierKevin Doshier
ESRIESRI
UC 2007 Tech SessionsUC 2007 Tech Sessions 33
AgendaAgenda
•• Security OverviewSecurity Overview•• Security in IIS and ASP.NETSecurity in IIS and ASP.NET•• Securing ArcGIS Server servicesSecuring ArcGIS Server services•• Web application securityWeb application security•• Looking ahead to 9.3Looking ahead to 9.3
UC 2007 Tech SessionsUC 2007 Tech Sessions 44
ArcGIS Server 9.2ArcGIS Server 9.2
•• Complete & Integrated serverComplete & Integrated server--based GISbased GIS•• OutOut--ofof--thethe--box applications and services box applications and services •• Tremendous developer opportunitiesTremendous developer opportunities
ArcGIS ServerArcGIS Server
Spatial DataSpatial DataManagementManagement
VisualizationVisualization(Mapping)(Mapping)
SpatialSpatialAnalysisAnalysis
Web MappingWeb MappingApplicationsApplications
ArcGISArcGISMobileMobile
ArcGISArcGISExplorerExplorer
ArcGISArcGISDesktopDesktop
JavaJava
.NET.NET
UC 2007 Tech SessionsUC 2007 Tech Sessions 55
Security OverviewSecurity Overview
•• Security tasksSecurity tasks–– Physical securityPhysical security–– Operating system security Operating system security –– accounts, updates, viruses, spyware, accounts, updates, viruses, spyware,
etc.etc.–– Code securityCode security
•• SQL injection, crossSQL injection, cross--site scripting, command execution, etc.site scripting, command execution, etc.–– Network securityNetwork security
•• IntegrityIntegrity•• ConfidentialityConfidentiality
–– Access to services and applicationsAccess to services and applications•• Authentication and authorizationAuthentication and authorization
This sessionThis session
UC 2007 Tech SessionsUC 2007 Tech Sessions 66
Security OverviewSecurity Overview
•• At ArcGIS Server 9.2, you configure security At ArcGIS Server 9.2, you configure security using standard ASP.NET optionsusing standard ASP.NET options–– ArcGIS Server 9.2 Security = ASP.NET 2.0 SecurityArcGIS Server 9.2 Security = ASP.NET 2.0 Security–– No specific security tools are built into 9.2No specific security tools are built into 9.2
•• ArcGIS Server 9.3 will have security ArcGIS Server 9.3 will have security management toolsmanagement tools–– But will still use ASP.NET securityBut will still use ASP.NET security
UC 2007 Tech SessionsUC 2007 Tech Sessions 77
Security OverviewSecurity Overview
•• Demo: two secured Web applicationsDemo: two secured Web applications
UC 2007 Tech SessionsUC 2007 Tech Sessions 88
Security in ASP.NETSecurity in ASP.NET
•• Access to web resources in ASP.NET is controlled by:Access to web resources in ASP.NET is controlled by:
1.1. Internet Information Server (IIS)Internet Information Server (IIS)–– IIS receives all requests from Web clientsIIS receives all requests from Web clients–– IIS performs some security checksIIS performs some security checks–– Some requests handled by IIS itselfSome requests handled by IIS itself
–– Images (.jpg, .Images (.jpg, .pngpng), HTML files (.), HTML files (.htmhtm), JavaScript files (.), JavaScript files (.jsjs), etc.), etc.–– Requests for ASP.NET resources (.Requests for ASP.NET resources (.aspxaspx, etc.) passed to ASP.NET, etc.) passed to ASP.NET
2.2. ASP.NETASP.NET–– Additional security checksAdditional security checks–– May include a login web page (Forms authentication)May include a login web page (Forms authentication)
UC 2007 Tech SessionsUC 2007 Tech Sessions 99
IIS and ASP.NET securityIIS and ASP.NET security
•• Request must Request must pass several pass several checks before checks before access grantedaccess granted
–– Single failure Single failure causes request causes request to failto fail
http://arcgisserver/app1/default.aspxhttp://arcgisserver/app1/default.aspx
ArcGIS Web Server ArcGIS Web Server
AccessAccessgrantedgranted
UserUser
OKOK
ASP.NETASP.NETForms authentication OK?Forms authentication OK? FailFail
IP address permitted?IP address permitted?
User authenticated (or User authenticated (or anonymous access permitted)?anonymous access permitted)?
IISIIS
AccessAccessdenieddenied
OKOK
FailFail
FailFail
OKOK
File permissions OK?File permissions OK?OKOK
FailFail
11
22
•• You can control You can control access by one or access by one or more of these more of these methodsmethods
•• WeWe’’ll focus onll focus on1.1. Windows Windows
authenticationauthentication2.2. Forms Forms
authenticationauthentication
UC 2007 Tech SessionsUC 2007 Tech Sessions 1010
Securing ASP.NET Web applicationsSecuring ASP.NET Web applications
•• Two main optionsTwo main options–– Windows authenticationWindows authentication
•• IIS controls accessIIS controls access•• Users have Windows accountsUsers have Windows accounts•• Users see popup login form (usually)Users see popup login form (usually)•• Typically used on intranetsTypically used on intranets
–– Forms authenticationForms authentication•• ASP.NET controls accessASP.NET controls access•• Accounts usually in a database or fileAccounts usually in a database or file•• Users log in with a form on a web pageUsers log in with a form on a web page•• Used on Internet and intranetsUsed on Internet and intranets
UC 2007 Tech SessionsUC 2007 Tech Sessions 1111
Authentication vs. authorizationAuthentication vs. authorization
•• AuthenticationAuthentication–– Verifying who you areVerifying who you are–– Like obtaining your conference badgeLike obtaining your conference badge
•• AuthorizationAuthorization–– Determining what you can accessDetermining what you can access–– Like whether you can enter certain workshops or Like whether you can enter certain workshops or
exhibitsexhibits
UC 2007 Tech SessionsUC 2007 Tech Sessions 1212
Securing ArcGIS Server servicesSecuring ArcGIS Server services
•• Two ways to connect to ArcGIS Server servicesTwo ways to connect to ArcGIS Server services
1.1. Local connectionLocal connection–– Works only on intranetsWorks only on intranets–– Access to all server functionalityAccess to all server functionality
2.2. ““InternetInternet”” connection = Web service connectionconnection = Web service connection–– Works on intranets and over InternetWorks on intranets and over Internet–– Subset of capabilities of Local connectionSubset of capabilities of Local connection
UC 2007 Tech SessionsUC 2007 Tech Sessions 1313
ArcGIS local connectionsArcGIS local connections
•• Server Object Manager (SOM)Server Object Manager (SOM)–– Controls access to GIS serverControls access to GIS server
•• Connect to SOM using DCOMConnect to SOM using DCOM–– DCOM = Microsoft technology for distributed DCOM = Microsoft technology for distributed
COM componentsCOM components•• Uses TCP/IP but not HTTPUses TCP/IP but not HTTP•• Does not use Web server for connectionsDoes not use Web server for connections•• Uses a range of TCP portsUses a range of TCP ports
•• This was the only connection option at This was the only connection option at 9.19.1
Server Server Object Object
ManagerManager
GIS ServerGIS Server
Server Server ObjectObject
ContainerContainer
Client Client (ArcCatalog, etc.)(ArcCatalog, etc.)
DCOMDCOM
UC 2007 Tech SessionsUC 2007 Tech Sessions 1414
Securing local connections to ArcGIS ServerSecuring local connections to ArcGIS Server
•• DCOM access controlled by operating DCOM access controlled by operating systemsystem–– Uses Windows accountsUses Windows accounts
•• Connections allowed to two groupsConnections allowed to two groups–– agsusersagsusers –– members can use servicesmembers can use services–– agsadminagsadmin –– can use and administer servicescan use and administer services
•• To enable local connection to ArcGIS To enable local connection to ArcGIS Server:Server:–– Add userAdd user’’s account to s account to agsusersagsusers or agsadmin or agsadmin
groupgroup–– Desktop application must run as user in Desktop application must run as user in
agsusersagsusers/agsadmin/agsadmin•• ArcCatalog, ArcMap, ArcGIS ExplorerArcCatalog, ArcMap, ArcGIS Explorer•• Use Run asUse Run as…… if necessaryif necessary
–– Add connection to serverAdd connection to server
UC 2007 Tech SessionsUC 2007 Tech Sessions 1515
Demo:Demo:Securing Local ConnectionsSecuring Local Connections
UC 2007 Tech SessionsUC 2007 Tech Sessions 1616
Using a local connection in a Web applicationUsing a local connection in a Web application
•• Web applications may use local Web applications may use local connectionsconnections–– Editing applicationsEditing applications–– Custom ArcObjectsCustom ArcObjects--based applicationsbased applications
•• Web application must run as a member of Web application must run as a member of the the agsusersagsusers/agsadmin group/agsadmin group–– Web application Web application impersonatesimpersonates this userthis user–– UserUser’’s login encrypted in web.configs login encrypted in web.config
•• Enabling impersonationEnabling impersonation–– In ManagerIn Manager
•• Uses account of Manager user by defaultUses account of Manager user by default•• Change account if necessaryChange account if necessary
–– In Visual StudioIn Visual Studio•• Use Add ArcGIS Identity toolUse Add ArcGIS Identity tool
ManagerManager
Visual StudioVisual Studio
UC 2007 Tech SessionsUC 2007 Tech Sessions 1717
ArcGIS Web servicesArcGIS Web services
•• Enables connecting to GIS service as Enables connecting to GIS service as a standard Web service a standard Web service (SOAP)(SOAP)
–– Exposes subset of service functionalityExposes subset of service functionality•• Map service: extent, layer visibility, graphics, Map service: extent, layer visibility, graphics,
etc.etc.•• No symbology changes, dynamic layers, No symbology changes, dynamic layers,
editing, fineediting, fine--grained ArcObjectsgrained ArcObjects
•• ArcGIS Web servicesArcGIS Web services–– By default at By default at
http://<http://<myservermyserver>/>/arcgisarcgis/services/services–– Uses a local connection to ArcGIS Server Uses a local connection to ArcGIS Server
behind the scenesbehind the scenes•• Configured during postConfigured during post--installationinstallation•• Identity is stored in Identity is stored in services.configservices.config
ArcGIS ServerArcGIS Server
Server Server ObjectObject
ContainerContainer
Client Client ArcCatalog, etc.)ArcCatalog, etc.)
InternetInternet(HTTP)(HTTP)
DCOMDCOM
Server Server Object Object
ManagerManager
ArcGIS ServerArcGIS ServerWeb servicesWeb services
UC 2007 Tech SessionsUC 2007 Tech Sessions 1818
Securing ArcGIS Web servicesSecuring ArcGIS Web services
•• ArcGIS Web services are an ASP.NET applicationArcGIS Web services are an ASP.NET application–– Each service has its unique URLEach service has its unique URL
•• http://<http://<myservermyserver>/>/arcgisarcgis/services/</services/<myservicemyservice>/>/MapServerMapServer
•• Use standard approach for ASP.NET Use standard approach for ASP.NET securitysecurity–– Require authenticationRequire authentication
•• Disable anonymous access in IIS ManagerDisable anonymous access in IIS Manager•• Uses Windows authenticationUses Windows authentication
–– CanCan’’t have a form login for a Web servicet have a form login for a Web service–– Windows accounts in Windows accounts in agsusersagsusers/agsadmin/agsadmin
–– Authorize services or foldersAuthorize services or folders•• Use ASP.NET <location> tags in web.configUse ASP.NET <location> tags in web.config
•• ArcGIS Server HelpArcGIS Server Help–– http://webhelp.esri.com/arcgisserver/9.2/dotNet/http://webhelp.esri.com/arcgisserver/9.2/dotNet/
manager/administration/manager/administration/secure_web_svcs.htmsecure_web_svcs.htm
<location path="<location path="SecureServicesSecureServices">"><<system.websystem.web>><authorization><authorization><allow roles=<allow roles=““SecureUsersSecureUsers" />" /><deny users="*" /><deny users="*" />
</authorization></authorization></</system.websystem.web>>
</location></location>
UC 2007 Tech SessionsUC 2007 Tech Sessions 1919
Demo: Demo: Securing ArcGIS Web servicesSecuring ArcGIS Web services
UC 2007 Tech SessionsUC 2007 Tech Sessions 2020
Demo review: Securing ArcGIS Web servicesDemo review: Securing ArcGIS Web services
1.1. Edit web.config in Edit web.config in C:C:\\InetpubInetpub\\wwwrootwwwroot\\ArcGISArcGIS\\ServicesServices
–– Add <authorization> Add <authorization> element(selement(s))–– RootRoot--level access to all serviceslevel access to all services–– Folder or serviceFolder or service--level access via level access via
<location> element<location> element2.2. IIS ManagerIIS Manager
–– Deny anonymous users to /ArcGIS/ServicesDeny anonymous users to /ArcGIS/Services
•• ArcGIS Server HelpArcGIS Server Help–– http://webhelp.esri.com/arcgisserver/9.2/dotNet/http://webhelp.esri.com/arcgisserver/9.2/dotNet/
manager/administration/manager/administration/secure_web_svcs.htmsecure_web_svcs.htm
<location path="<location path="SecureServicesSecureServices">"><<system.websystem.web>>
<authorization><authorization><allow roles=<allow roles=““SecureUsersSecureUsers" />" /><deny users="*" /><deny users="*" />
</authorization></authorization></</system.websystem.web>>
</location></location>
UC 2007 Tech SessionsUC 2007 Tech Sessions 2121
Web application securityWeb application security
•• Windows vs. forms authenticationWindows vs. forms authentication•• Security features in ASP.NET 2.0+Security features in ASP.NET 2.0+•• Enabling functionality by user roleEnabling functionality by user role
UC 2007 Tech SessionsUC 2007 Tech Sessions 2222
ArcGIS Server 9.2: Software Development KitArcGIS Server 9.2: Software Development Kit
•• Build and deploy web & enterprise geospatial applications Build and deploy web & enterprise geospatial applications and servicesand services
•• Productivity boost with outProductivity boost with out--ofof--thethe--box IDE integrationbox IDE integration•• Software Development Kit (SDK) includes :Software Development Kit (SDK) includes :
–– .NET components.NET components•• Web ADFWeb ADF•• Mobile ADFMobile ADF
–– Java componentsJava components•• Web ADFWeb ADF•• Enterprise ADF Enterprise ADF
Software Development Kit (SDK)Software Development Kit (SDK)
.NET.NET JavaJavaMobileMobile
ArcGISArcGISMobileMobileWebMapWebMap
ApplicationsApplicationsBusinessBusiness
ApplicationsApplications
EnterpriseEnterpriseWebWeb WebWeb
Integration Environment
UC 2007 Tech SessionsUC 2007 Tech Sessions 2323
Securing ASP.NET Web applicationsSecuring ASP.NET Web applications
•• Two main optionsTwo main options–– Windows authenticationWindows authentication
•• IIS controls accessIIS controls access•• Users have Windows accountsUsers have Windows accounts•• Users see popup login form (usually)Users see popup login form (usually)•• Typically used on intranetsTypically used on intranets
–– Forms authenticationForms authentication•• ASP.NET controls accessASP.NET controls access•• Accounts usually in a database or fileAccounts usually in a database or file•• Users log in with a form on a web pageUsers log in with a form on a web page•• Used on Internet and intranetsUsed on Internet and intranets
UC 2007 Tech SessionsUC 2007 Tech Sessions 2424
Demo: Securing a Web application with Demo: Securing a Web application with Windows authenticationWindows authentication
UC 2007 Tech SessionsUC 2007 Tech Sessions 2525
Demo review: securing a web application with Demo review: securing a web application with Windows authenticationWindows authentication
1.1. Open IIS ManagerOpen IIS Manager2.2. Navigate to the web Navigate to the web
applicationapplication3.3. Use its Properties toUse its Properties to
–– Disable anonymous accessDisable anonymous access–– Enable at least one other Enable at least one other
methodmethod•• Integrated WindowsIntegrated Windows•• BasicBasic•• DigestDigest
4.4. Create Windows accounts if Create Windows accounts if necessarynecessary
UC 2007 Tech SessionsUC 2007 Tech Sessions 2626
Securing Web applications withSecuring Web applications withWindows authenticationWindows authentication
•• ProsPros–– Easy to set upEasy to set up–– Can work on all browsersCan work on all browsers–– Can take advantage of Windows accountsCan take advantage of Windows accounts–– Similar to login used with ArcIMS Servlet ConnectorSimilar to login used with ArcIMS Servlet Connector
•• ConsCons–– NonNon--customizable popcustomizable pop--up login boxup login box
•• UserUser--hostile login failure pagehostile login failure page–– More difficult fineMore difficult fine--tune accesstune access–– Must maintain accounts as Windows accountsMust maintain accounts as Windows accounts
•• Usually best for intranetsUsually best for intranets
UC 2007 Tech SessionsUC 2007 Tech Sessions 2727
Demo: Securing a web application with Demo: Securing a web application with forms authenticationforms authentication
UC 2007 Tech SessionsUC 2007 Tech Sessions 2828
Demo review: securing a Web application using Demo review: securing a Web application using forms authenticationforms authentication
1.1. Open website in Visual Open website in Visual Studio 2005Studio 2005
2.2. Open ASP.NET Open ASP.NET Configuration (Web Site Configuration (Web Site Admin Tool)Admin Tool)
–– Set access to Internet Set access to Internet (Forms)(Forms)
–– Add users/rolesAdd users/roles–– Add access rulesAdd access rules
3.3. Create login form in Visual Create login form in Visual StudioStudio
–– Create Create login.aspxlogin.aspx pagepage–– Add a login controlAdd a login control
UC 2007 Tech SessionsUC 2007 Tech Sessions 2929
Forms authentication with ASP.NET 2.0Forms authentication with ASP.NET 2.0
•• ProsPros–– Familiar login approach used in most websitesFamiliar login approach used in most websites–– Easiest option for formsEasiest option for forms--based loginbased login–– Can use SQL Server Express Can use SQL Server Express –– no extra costno extra cost–– Flexibility for access and rolesFlexibility for access and roles
•• ConsCons–– Requires creating Login pageRequires creating Login page
•• Can just use simple page with Login web controlCan just use simple page with Login web control–– Password sent in request over the networkPassword sent in request over the network
•• Use HTTPS (SSL), especially on the InternetUse HTTPS (SSL), especially on the Internet–– More difficult to administerMore difficult to administer
•• Web Site Administration Tool helpsWeb Site Administration Tool helps
UC 2007 Tech SessionsUC 2007 Tech Sessions 3030
More on Security in ASP.NET 2.0More on Security in ASP.NET 2.0
•• Securing data transmissionSecuring data transmission•• Authentication vs. authorizationAuthentication vs. authorization•• Login web controlsLogin web controls•• Membership and Authentication Membership and Authentication •• Roles and AuthorizationRoles and Authorization
UC 2007 Tech SessionsUC 2007 Tech Sessions 3131
Securing data and password transmissionSecuring data and password transmission
•• Problem: data and user credentials Problem: data and user credentials may be interceptedmay be intercepted–– Common login methods do not encrypt Common login methods do not encrypt
credentialscredentials•• Forms and Basic authentication transmit Forms and Basic authentication transmit
in clear textin clear text
•• Use HTTPS (SSL) to secure loginUse HTTPS (SSL) to secure login–– Acquire server certificate from a Acquire server certificate from a
certificate authority (CA) certificate authority (CA) –– Install server certificate into IISInstall server certificate into IIS–– Require SSL for page or resourceRequire SSL for page or resource
http://msdn2.microsoft.com/en-us/library/aa302411.aspx
UC 2007 Tech SessionsUC 2007 Tech Sessions 3232
ASP.NET authorizationASP.NET authorization
•• Web.config fileWeb.config file–– Control access to entire applicationControl access to entire application–– Control access by path within applicationControl access by path within application
•• ExamplesExamples–– /Admin subfolder for administrators only/Admin subfolder for administrators only–– styles.cssstyles.css file accessible to all so login page can use stylesfile accessible to all so login page can use styles
•• ProgrammaticProgrammatic–– Display or hide items within page based on userDisplay or hide items within page based on user–– ExampleExample
•• Basic website available to allBasic website available to all•• Logged in users see additional functionalityLogged in users see additional functionality•• Editor users can edit dataEditor users can edit data
UC 2007 Tech SessionsUC 2007 Tech Sessions 3333
Login Web ControlsLogin Web Controls
•• New web controls in ASP.NET 2.0New web controls in ASP.NET 2.0•• Easily handle login tasksEasily handle login tasks•• Controls:Controls:
–– LoginLogin –– standard login formstandard login form–– LoginView LoginView –– page display depends on login statuspage display depends on login status–– LoginStatusLoginStatus –– display login/logout link on any pagedisplay login/logout link on any page–– LoginNameLoginName –– display user namedisplay user name–– CreateUserWizardCreateUserWizard –– add user to databaseadd user to database–– ChangePasswordChangePassword–– PasswordRecoveryPasswordRecovery –– ee--mail password to usermail password to user
UC 2007 Tech SessionsUC 2007 Tech Sessions 3434
Membership and AuthenticationMembership and Authentication
•• New framework in ASP.NET 2.0New framework in ASP.NET 2.0•• Enables simpler Forms authenticationEnables simpler Forms authentication•• Web.config stores authentication Web.config stores authentication
optionsoptions–– Login page name, timeout, cookie use, Login page name, timeout, cookie use,
SSL, etc.SSL, etc.–– Can modify these settings in IIS Can modify these settings in IIS
Manager tooManager too•• Works automatically with new login Works automatically with new login
web controlsweb controls•• Access membership programmatically Access membership programmatically
tootoo
Setting Membership propertiesin IIS Manager
UC 2007 Tech SessionsUC 2007 Tech Sessions 3535
Providers for Membership DataProviders for Membership Data
•• Stores and manages data for membership/rolesStores and manages data for membership/roles–– Typically in a database, but could be XML file, Windows server, Typically in a database, but could be XML file, Windows server, ……
•• SQL Server Express is the defaultSQL Server Express is the default–– Stores data in App_Data folder within websiteStores data in App_Data folder within website
•• Each website stores separate dataEach website stores separate data•• Can copy data (MDF file) to another websiteCan copy data (MDF file) to another website
–– SQL Express must be running locally to useSQL Express must be running locally to use•• SQL Server may be used (7, 2000, 2005)SQL Server may be used (7, 2000, 2005)•• Active Directory also supportedActive Directory also supported•• Custom providers could be created or purchasedCustom providers could be created or purchased
–– Oracle, Oracle, MySQLMySQL, Access, etc., Access, etc.•• Can use multiple providers, even within a single websiteCan use multiple providers, even within a single website
UC 2007 Tech SessionsUC 2007 Tech Sessions 3636
Roles and AuthorizationRoles and Authorization
•• Users can have roles Users can have roles –– similar to similar to account groupsaccount groups
•• Allow access to pages and features by Allow access to pages and features by rolerole–– Web.config to set pageWeb.config to set page--level accesslevel access–– Use LoginView or code within a pageUse LoginView or code within a page–– Example: allow all users to view data, but Example: allow all users to view data, but
only logged in users may edit dataonly logged in users may edit data
•• Set up roles with Web Site Set up roles with Web Site Administration ToolAdministration Tool
•• Can also access roles Can also access roles programmaticallyprogrammatically
UC 2007 Tech SessionsUC 2007 Tech Sessions 3737
Securing functionality within a websiteSecuring functionality within a website
•• Access doesnAccess doesn’’t have to be all or nothingt have to be all or nothing•• You may want toYou may want to
–– allow anyone basic access, but more for logged in usersallow anyone basic access, but more for logged in users–– display some functionality only to specific usersdisplay some functionality only to specific users–– personalize the site based on userpersonalize the site based on user’’s role, preferences or saved s role, preferences or saved
settingssettings
•• ASP.NET provides ways to do thisASP.NET provides ways to do this–– May require programmingMay require programming
•• E.g., restricting access to fields in a layer based on user roleE.g., restricting access to fields in a layer based on user role
UC 2007 Tech SessionsUC 2007 Tech Sessions 3838
Demo:Demo:Enabling Functionality by User RolesEnabling Functionality by User Roles
UC 2007 Tech SessionsUC 2007 Tech Sessions 3939
Demo review: enabling Functionality by User Demo review: enabling Functionality by User Roles Roles
•• Add LoginView controlAdd LoginView control•• Add template to LoginViewAdd template to LoginView•• Add task to LoginView templateAdd task to LoginView template•• Add Add LoginStatusLoginStatus controlcontrol•• Modify properties of Modify properties of EditorTaskEditorTask•• Add code to show Identify tool Add code to show Identify tool
only to logged in usersonly to logged in users
If NotIf Not User.Identity.IsAuthenticated User.Identity.IsAuthenticated ThenThenDimDim idTool idTool AsAs ToolbarItem = _ToolbarItem = _
Toolbar1.ToolbarItems.Find(Toolbar1.ToolbarItems.Find("MapIdentify""MapIdentify"))IfIf idTool idTool IsNot Nothing ThenIsNot Nothing Then
iidTool.Visible = dTool.Visible = FalseFalseEnd IfEnd If
End IfEnd If
Default.skinDefault.skin
Default.aspx.vbDefault.aspx.vb
UC 2007 Tech SessionsUC 2007 Tech Sessions 4040
Looking ahead to 9.3Looking ahead to 9.3
•• Goal: make it easier to apply Goal: make it easier to apply securitysecurity–– Still use standard ASP.NET Still use standard ASP.NET
securitysecurity
•• Configure security in ManagerConfigure security in Manager–– Configure permissions for services Configure permissions for services
and web applicationsand web applications•• Applies native ASP.NET securityApplies native ASP.NET security•• Supports any ASP.NET Supports any ASP.NET
membership/role providermembership/role provider–– Windows, SQL Server out of the Windows, SQL Server out of the
boxbox
–– Manage users and roles (groups)Manage users and roles (groups)•• If use SQL Server to store users If use SQL Server to store users
and rolesand roles
UC 2007 Tech SessionsUC 2007 Tech Sessions 4141
Looking ahead to 9.3Looking ahead to 9.3
•• Token serviceToken service–– Enhances security configuration for services and applicationsEnhances security configuration for services and applications
•• Enables authenticating users stored in a database or other custoEnables authenticating users stored in a database or other custom m locationlocation
•• Provides for centralized security server for federated serversProvides for centralized security server for federated servers–– Rather than duplicating users and roles across multiple serversRather than duplicating users and roles across multiple servers
–– Similar to ArcWeb Services token serviceSimilar to ArcWeb Services token service–– Client submits credentials, receives tokenClient submits credentials, receives token–– Client uses token for all service requestsClient uses token for all service requests
UC 2007 Tech SessionsUC 2007 Tech Sessions 4242
For more informationFor more information
•• ArcGIS Server HelpArcGIS Server Help–– Configuring security for servicesConfiguring security for services
•• Books on ASP.NET and securityBooks on ASP.NET and security–– General texts with chapters on securityGeneral texts with chapters on security
•• Pro ASP.NET 2.0 in VB (C#) 2005Pro ASP.NET 2.0 in VB (C#) 2005MoroneyMoroney & MacDonald & MacDonald –– ApressApress, Inc., Inc.
–– Professional ASP.NET 2.0 Security, Professional ASP.NET 2.0 Security, Membership and Role ManagementMembership and Role Management•• Stefan Stefan SchackowSchackow –– WroxWrox PressPress
–– How to Break Web SoftwareHow to Break Web Software•• Andrews & Whittaker Andrews & Whittaker –– AddisonAddison--WesleyWesley
•• Websites on ASP.NETWebsites on ASP.NET–– http://www.asp.nethttp://www.asp.net -- CommunitiesCommunities
UC 2007 Tech SessionsUC 2007 Tech Sessions 4343
SummarySummary
•• Security tasksSecurity tasks•• Service securityService security
–– Local connectionsLocal connections–– Internet (web service) connectionsInternet (web service) connections
•• Website security in ASP.NETWebsite security in ASP.NET–– Windows authenticationWindows authentication–– Forms authenticationForms authentication
•• Controlling access to functionality with a websiteControlling access to functionality with a website•• ArcGIS Server 9.3 will enable configuring security in ArcGIS Server 9.3 will enable configuring security in
ManagerManager