Security overview Setup and configuration Securing GIS Web services. Securing Web applications. Web ADF applications

Similar documents
Implementing Security for ArcGIS Server Java Solutions

Introductions Who are we? Who are you? Development D l t experience i with ith ArcObjects A Obj t Development experience with ASP.NET Basic understand

New ArcGIS Server Application Developers? Experience in Programming with Java? Knowledge of Web Technologies? Experience with the Java WebADF?

LAN protected by a Firewall. ArcGIS Server. Web Server. GIS Server. Reverse Proxy. Data

ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS for Server: Security

Desktop. ArcGIS Server. ArcGIS

Securing ArcGIS Server Services An Introduction

Securing ArcGIS Services

ArcGIS Server Web Server Web Applications WWW. Applications. ArcGIS Server Manager. GIS Server. Data. Desktop GIS. ArcGIS Desktop (content author) SOM

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

Web ADF Graphics. Web-tier.NET. Client-tier JavaScript. Spatially enabled.net DataTables Render on the server using GDI+ Graphic features and groups

Getting Started with ArcGIS for Server. Charmel Menzel and Ken Gorton

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Developers Road Map to ArcGIS Desktop and ArcGIS Engine

ArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith

Getting Started with the ArcGIS Server JavaScript API

Server AMS/PLL 2014 SP1 for ArcGIS 10.1 SP1 & 10.2.x Update Guide

ArcGIS Viewer for Microsoft Silverlight An Introduction

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

TRAINING GUIDE. GIS Setup and Config for Lucity Webmap

Scout Enterprise Dashboard

Introduction to ArcGIS Server Architecture and Services. Amr Wahba

Server AMS/PLL 2014 SP1 for ArcGIS 10.1 SP1 & 10.2.x Install Guide

Server AMS/PLL 2014 SP1 for ArcGIS 10.0 SP5 Update Guide

Goals Give you an overview of development with ArcGIS Server Give you a roadmap to other sessions Cover the breadth of the software Not a deep dive se

BIG-IP Access Policy Manager : Portal Access. Version 12.1

ArcGIS for Developers. Kevin Deege Educational Services Washington DC

Moving Desktop Applications to ArcGIS Server

ArcGIS Enterprise Security. Gregory Ponto & Jeff Smith

Designing an Enterprise GIS Security Strategy. Michael E Young CISSP

ICIT. Brian Hiller ESRI Account Manger. What s new in ArcGIS 10

Using an ArcGIS Server.Net version 10

User Manual. Admin Report Kit for IIS 7 (ARKIIS)

Product-Specific Terms of Use

Architecting ArcGIS Server Solutions for Performance and Scalability

Agenda. Introduction. Supported Formats. Creating a Custom REST Service. What s Next

@jbarry

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

HOMELESS INDIVIDUALS AND FAMILIES INFORMATION SYSTEM HIFIS 4.0 TECHNICAL ARCHITECTURE AND DEPLOYMENT REFERENCE

2310C VB - Developing Web Applications Using Microsoft Visual Studio 2008 Course Number: 2310C Course Length: 5 Days

Business Insights Dashboard

DreamFactory Security Guide

Getting Started with. Management Portal. Version

Introduction to ArcGIS Server 10.1

ArcGIS for Server Michele Lundeen

Tom Brenneman. Good morning and welcome, introductions and thank you for being here.

ArcGIS Online. The Road Ahead Geoff Mortson

Securing your Standards Based Services. Rüdiger Gartmann (con terra GmbH) Satish Sankaran (Esri)

20486-Developing ASP.NET MVC 4 Web Applications

WHY CSRF WORKS. Implicit authentication by Web browsers

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

BIG-IP Access Policy Manager : Portal Access. Version 13.0

ArcGIS for Server: Administration and Security. Amr Wahba

Solutions Business Manager Web Application Security Assessment

Secret Server Demo Outline

AMS Device View Installation Guide. Version 2.0 Installation Guide May 2018

ArcGIS for Server: Publishing and Using Map Services

ArcGIS Enterprise: Portal Administration BILL MAJOR CRAIG CLEVELAND

Xerox Connect App for Blackboard

VII. Corente Services SSL Client

SuperGIS Server 3.2 Value Edition Specification

WebAD IISADMPWD. Replacement Tool v2.5. Installation and Configuration Guide. Instructions to Install and Configure IISADMPWD

IBM Security Access Manager Version January Federation Administration topics IBM

Advanced Service Design. vrealize Automation 6.2

10267A CS: Developing Web Applications Using Microsoft Visual Studio 2010

.NET Web Applications. Example Project Walk-Through

Using the VMware vcenter Orchestrator Client. vrealize Orchestrator 5.5.1

Introduction to Your First ArcGIS Enterprise Deployment. Thomas Edghill & Jonathan Quinn

Trusted Login Connector (Hosted SSO)

Configuring ArcGIS Enterprise in Disconnected Environments

XIA Automation Server

EUCOM/AFRICOM DEFENSE USER GROUP MEETING MARCH 2010 STUTTGART WELCOME!

SAS Data Explorer 2.1: User s Guide

Policy Settings for Windows Server 2003 (including SP1) and Windows XP (including SP2)

ArcGIS Viewer for Flex An Introduction

Version Installation Guide. 1 Bocada Installation Guide

Web Mapping Applications with ArcGIS. Bernie Szukalski Derek Law

DIRECTORY UPDATE V3.0 Quick Start Guide

How to Pick the Right PI Developer Technology for your Project

DreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com

Web AppBuilder for ArcGIS: A Deep Dive in Enterprise Deployments. Nick Brueggemann and Mark Torrey

ControlPoint. Native Installation Guide. February 05,

Maintain Geodatabase

Coveo Platform 6.5. Microsoft SharePoint Connector Guide

UC for Enterprise (UCE) NEC Centralized Authentication Service (NEC CAS)

BI Office. Web Authentication Model Guide Version 6

Technical Overview. Access control lists define the users, groups, and roles that can access content as well as the operations that can be performed.

WebAnalyzer Plus Getting Started Guide

Sage 500 ERP 2016 Business Insights Dashboard Guide

Workspace Administrator Help File

Installing ArcIMS 9.1 on Windows

Configuring Anonymous Access to Analysis Files in TIBCO Spotfire 7.5

Lifecycle Management Suite Hardware and Software Requirements - Account Servicing

What should y you expect in this session? Basic to advanced topics Outline What is map caching? Why should I cache? Caching workflow How to create a c

IQSweb Installation Instructions Version 5.0

Early Data Analyzer Web User Guide

Client 2. Authentication 5

Five9 Plus Adapter for Agent Desktop Toolkit

Extend, distribute custom functionality. Multi-source support

Transcription:

Implementing Security for ArcGIS Server for the Microsoft.NET NET Framework Tom Brenneman Sud Menon

Schedule Security overview Setup and configuration Securing GIS Web services Using the token service Securing Web applications Web ADF applications JavaScript/Flex API applications We will answer questions at the end on the session Please complete the session survey!

Security overview ArcGIS Server security provides access control Which users can access particular services and applications Remember other security tasks Security during transmission Operating system updates, virus protection Code SQL injection, cross-site scripting, etc. Physical Ph i l security it User education phishing, etc.

Access control model ArcGIS Server has role-based access control Uses standard IIS or ASP.NET security IIS Basic, Digest, Integrated Windows ASP.NET Membership and role provider framework

ArcGIS Server Site ArcGIS Server System Web Server Web Mapping Applications Web Browser GIS Services Web Service Endpoints ArcGIS Explorer, Manager Manager Web Application ArcGIS Desktop, other ArcGIS Servers GIS Server ArcCatalog Administrator Users External to the Site GIS Services Server Objects Users Internal to the Site : Authors Publishers, Authors, Publishers Administrators Geodatabases ArcGIS Server Security Zones ArcMap, ArcGlobe Content Author

Security model Browser/Desktop Applications Web Authenticate Web server Principal Store Web service handler Token service Web applications (Users & Roles) Authenticate View// Edit A th i Authorize SOM Permission Store (for services) Manager GIS Services Edit

Steps to securing services and applications pp 1. Decide where users and roles will be stored 2. Install supporting items as needed Secure Sockets Layer (SSL) certificate for Web server SQL Q Server (Express) ( p ) Custom provider 3. Configure security in Manager Configure location for users and roles Add and manage users and roles 4. Secure Web application(s) using Manager* - and/or 5. Secure GIS Web services using Manager Adapted from ArcGIS Server Help, Internet security checklist *or other tools for custom applications

Decide where users and roles will be stored Windows users and groups Manage with operating system tools SQL Server Full or Express version Tables store users and roles in.net membership format Custom provider Oracle, Active Directory, XML, etc. To use, acquire a.net membership/role provider XML Oracle

Decide where users and roles will be stored User and role store usually same place, but can have Windows users + SQL Server roles Windows users + roles in custom provider SQL Server users + roles in custom provider p Built-in SQL Server roles Everyone (*): ( ): all users permitted whether provide login or not Authenticated Users (@): users who provide a valid login Anonymous (?): users who do not provide a login Add can manually add to custom provider

How will users be authenticated? Authenticate = verify identity of the user If users in SQL Server or custom provider Web Applications: ASP.NET ASP NET Forms authentication Web Services: Tokens service If Windows users, options are: IIS-controlled authentication Integrated Windows Basic Digest Token authentication Only supported if roles are in SQL Server

Demo Configuring security using SQL

Session agenda Security overview Setup and configuration Securing GIS Web services Using the token service Securing Web applications Web ADF applications JavaScript/Flex API applications ESRI Developer Summit 2008 12

Securing ArcGIS Server services Two ways to connect to an ArcGIS Server service 1. Local connection Works only on intranets Access to all server functionality User must be a member of the agsusers or agsadmin groups 2 Web service ( Internet ) 2. ( Internet ) connections SOAP, REST, WMS, KML Works on intranets and over Internet Security y model introduced at 9.3

Securing GIS Web services Services inherit folder permissions Services root Good practice to secure folders Unique service permissions Internal Permissions changes cascade to all children Inherit service permissions from folder Set permissions on root first Inherit service permissions from root Unique service permissions

Transitioning ArcGIS Server from open access to secure access Enabling security for services is set separately from permissions Security-Settings tab With no security, y, everyone y has access to everything With security, by default, everyone has access to nothing If you enable security before changing g g permissions, p no one will be able to use existing services

Using secured services ArcGIS Desktop, ArcGIS Explorer Provide identify in connection dialog.net Web applications Manager: use Access secured services i Visual Studio: add identity in the resource manager SOAP, REST and JavaScript applications Use token or Windows authentication More on this shortly

Demo Securing GIS Web services

Session agenda Security overview Setup and configuration Securing GIS Web services Using the token service Securing Web applications Web ADF applications JavaScript/Flex API applications ESRI Developer Summit 2008 18

The Token service User authentication web service Why do we need it?.net provides no mechanism for web service security Forms o s just for o app applications cat o s Web service security when using and ASP.NET membership / role provider Used only with GIS Web services Not used by default with Windows users Not used to authenticate Web application users

How does the Token service work? ArcGIS Desktop 1. Client requests service 2. Server: token required Web server 6. Client requests with ith token t k 8. Server returns service data Web service handler 3. Client requests token Token service 5. Server 5 returns token 4. Credentials validated Principal p Store 7. Server gets user s roles and authorizes roles SOM Permission Store (.SEC files) GIS Services (Users & Roles)

What is in a Token? Token is a string with encrypted information: User name Expiration time Optional: p ID of the client IP address or Web URL (HTTP Referrer) If included, expiration can be a longer time period (weeks/months) Used by most clients Desktop, ADF, JavaScript/REST applications, etc. If nott included, i l d d shorter h t expiration i ti time ti needs d to t be b renewed d

Working with the Token service Most clients will work with tokens automatically Desktop (ArcMap, ArcCatalog, ArcGlobe) and Engine ArcGIS Explorer Web ADF ((.NET and Java)) and Mobile ADF Some clients will require explicit token management SOAP-based clients not using ADF Use server-side code to acquire q and use token See Developer Help for details and examples JavaScript/REST clients Developer obtains a token from get-token Web page Developer embeds token in the Web application code Access token on the server via a proxy page

Working with the Token service ( (continued) ) GIS service can provide the Token service URL Requesting a token Requires HTTPS by default Example: p https://myserver/arcgis/tokens?request=gettoken&username=myuser&passwo rd=secret&clientid=ip.127.0.0.1&expiration=120 Using a token Append the token to the URL of the server http://myserver/arcgis/services/usa/mapserver?token=hpwkwqltkuhdwogpp%... Use HTTPS for maximum security over unsecure networks Needed to guard against token hijacking and replay attacks Refreshing the token If token may expire, include code to renew it Server returns HTTP error code of 498 for expired token

Demo Using tokens in a JavaScript API application

Session agenda Security overview Setup and configuration Securing GIS Web services Using the token service Securing Web applications Web ADF applications JavaScript/Flex API applications ESRI Developer Summit 2008 25

Securing Web ADF applications with Manager Security button in Manager Applications Enable security Add permitted role(s) Notice role-based role based security, not user-based Permission rules are stored in the application pp Web.config - <authorization> element

Securing a Web ADF application outside of Manager Q: How do you secure a Web ADF application created with Visual Studio? A: Add the provider and permissions manually to web.config Copy provider settings from /ArcGIS/Security/web.config /ArcGIS/Security/web.config Connection string for SQL Server Membership and provider elements Add allow/deny rules <authorization> <allow roles= Editors /> <deny users= * /> </authorization> Add login.aspx page if not using Web Mapping Application template

Using a secured Web ADF application User will be prompted to login Login.aspx page when users in SQL Server or custom provider Pop-up P di l with dialog ith Windows Wi d users Application page Displays Di l login l i name Logout link When logged in with forms authentication

Demo Securing a Web application in Manager

Securing applications that use clientclient-side APIs: JavaScript p APIs,, Flex API,, Silverlight g API Can t secure applications with only clientclient-side code Using windows Secure using OS Using ASP.NET Wrap code in.aspx.aspx page Use same approach shown earlier for securing the application outside of Manager g

Passing user identity to the GIS service Browser user Scenario: Secure application with dynamic services based on user User logs into the application User sees only the services they have access to User identity SecurityPassthrough S it P th h samples l Passes user s identity to GIS service at runtime Three samples: SecurityPassthrough SecurityPassthrough_Forms SecurityPassthrough_Forms: Forms: Users/roles in SQL Server; Web Forms: service (Internet) connection to the GIS service SecurityPassthrough_Win SecurityPassthrough_Win:: Users/roles in Windows; Local connection to the GIS service y g ((available for 9.3.1): ) Users/roles SecurityPassthrough_WinInternet in Windows; Web service (Internet) connection to the GIS service ADF Application Service identity GIS Server

Controlling application content based on role Question: How can I show or hide content depending on the role? Tools, tasks, layers, map, etc. Answer: Developer must add code Wrap p Web ADF controls in LoginView g controls Get user s role Remove or add content depending on role See sample in Developer Kit Common_Security

Demo Modifying Web application content based on user s role

Security resources for ArcGIS Server Server Help Web ADF Developer Help Help for JavaScript APIs ArcGIS JavaScript Virtual Earth Google Maps Flex API Help Silverlight API Help

Summary Manager at 9.3+ enables users to Configure user and role stores Secure Web applications Secure GIS Web services Clients work with security Desktop, Engine and Web ADF work seamlessly SOAP and JavaScript clients may require working with tokens Use standard ASP.NET methods for finer-grain security in applications

Additional Resources Questions, answers and information Tech Talk Outside this room right now! ESRI Resource Centers PPTs, code and video resources.esri.com Meet the team 6:00 7:00 pm during the party in Oasis 2 Other sessions Social Networking www.twitter.com/ ESRIDevSummit Advanced Map Caching Topics Wednesday 2:45 4:00 pm tinyurl.com/ ESRIDevSummitFB

Want to Learn More? ESRI Training and Education Resources Instructor Instructor--Led Training ArcGIS Server: Web Administration Using g the Microsoft.NET Framework Developing Applications with ArcGIS Server Using the Microsoft.NET Framework Free Web Training Seminars ArcGIS Server Setup and Administration Building Applications with ArcGIS Server Using the Microsoft.NET Framework Implementing Security for ArcGIS Server.NET Solutions http://www.esri.com/training

Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback