Securing the Web Services Handler

You can expose your ArcGIS Server services using a Web service handler. In some cases, you may want to make these services available only to certain users. Using manager, you can secure your Web service handlers using role based access control.

According to the principles of role based access control, users are granted membership into roles based on their competencies and responsibilities in the organization. The tasks that a user is permitted to perform are based on the user's role. Membership of roles can be easily withdrawn and new memberships established as the organization evolves; roles can be updated without updating the privileges for every user on an individual basis.

Users and Groups

A user gets defined in the Application Server used, for example, in Tomcat or JBoss. The user in this case is similar to an operating system user. However, the authenticating server has no knowledge of the user name and password you provide when you log on to the operating system and is not connected to the security mechanism of the operating system.

A group is a category of authenticated users classified by common traits, such as job title or customer profile. For example, most customers of an e-commerce application might belong to the CUSTOMER group, but the big spenders would belong to the PREFERRED group. Categorizing users into groups makes it easier to control the access of large numbers of users.

An Application Server group has a different scope from a role. An Application Server group is designated for the entire Application Server, whereas a role is associated only with a specific application in the Application Server.

Roles

A role is an abstract name for the permission to access a particular set of resources in an application. A role can be compared to a key that can open a lock. Many people might have a copy of the key. The lock doesn't care who you are, only that you have the right key.

Users can be associated with a group, and the user/group can be associated with one or multiple roles and can therefore access all resources protected by those roles.

As an example, the members of a city planning department are allowed access to a service showing detailed parcel information and some are allowed to update this data. Each member is a user and part of the planning_department group. Some members have an editor role, while others have a viewer role.

Autentication methods

When each user logs in, he or she is authenticated based on the user name and password. The following authentication methods are available using ArcGIS Server Manager:

Basic: Basic authentication is the most widely supported authentication mechanism but is not very secure since the username and password are sent in clear text and are not encrypted. ArcGIS Desktop and all browsers supporting HTTP authentication can connect using basic authentication.
Digest: Digest authentication is widely supported as well and is more secure. ArcGIS Desktop and major Web browsers support this mechanism.
Form: Form authentication requires the authentication to occur in a Web page form. A login.jsp page is generated in a .war file and users must first go to this page before using the Web services. This mechanism transmits the username and password in clear text unless an HTTPS connection is used. The primary reason for using form based authentication is if you want to have a single sign-on for a custom application that already has a login page. However, this mechanism prevents ArcGIS Desktop from connecting.
Client: This authentication method requires that each user connecting to the Web service to have a custom generated certificate from a trusted generator of certificates. This mechanism is generally not used for Web services being served to the public on the Internet due to the extra steps requiring a certificate to be generated. This method is more popular for intranets where security is important.

Creating a secure Web Services Handler

The process for creating a secure Web Services Handler is:

Use ArcGIS Manager to create a Web Services Handler. For more information, please see Exporting the Web Services Handler.
Deploy the resulting .war file in your Application Server.
Set up users and roles for the Web application in the Application Server you are using.

Set up users and roles for your server

After using ArcGIS Manager to create a secure Web Services Handler in form of a WAR file, you will need to

Deploy the WAR file to a web application
Set up users and roles for the web application in the Application Server software you are using.

For example, to enable access to the Parcels web application, you must create a new username/password combination for the according city government members and associate the role name City with it, or add the City role to an existing username/password combination. The steps needed depend on which Application Server you are using. Please see below for the steps for the specific third-party product:

Apache Tomcat

Deploy the .war file by placing it in the directory <Tomcat_Home>/webapps/
Go to Control Panel > Administrative Tools > Services. Find the Apache Tomcat service in the list and restart it
The .war file will explode and create a folder in the same directory with the name of the .war file. For example, after deploying the 'parcels.war' file, you will see a directory called 'parcels' in the webapps directory)

To set up roles in Tomcat, us the Tomcat 5 MemoryRealm interface, which loads information about all users, and their corresponding roles, from the XML document tomcat-users.xml at startup time. Any changes to this file are not recognized until Tomcat is restarted. The file is an XML document with the root element <TOMCAT-USERS> and, nested inside of it, a <USER> element for each valid user consisting of the following attributes:

name - Username this user must log on with.
password - Password this user must log on with roles
Comma-delimited list of the role names associated with this user.

To set up the tomcat-users.xml file:

Open the file <Tomcat_Home>\conf\tomcat-users.xml in a text editor such as Notepad or Wordpad.

Add a line with the XML <USER> tag entry for each individual user, with the according name, password and roles. The file should then look something like this (default users included):

<tomcat-users>
        <user name="admin" password="admin" roles="admin,manager" />  
        <user name="tomcat" password="tomcat" roles="tomcat" />
        <user name="role1"  password="tomcat" roles="role1"  />
        <user name="both"   password="tomcat" roles="tomcat,role1" />
        <user name="Tom"   password="Cityapp" roles="City" />
        <user name="Peter"   password="Stateapp" roles="State" />
        <user name="Michael"   password="AllAccess" roles="City,State" />
        </tomcat-users>

WARNING: User names and roles are case sensitive and must be unique. Do not use commas, tabs or any other characters in the following comma-separated list: < >, #, |, &, ?, ( ), { }

Save and close the file
Restart the Apache Tomcat service for the edits to take effect. For Tomcat documentation on storing the user and role information in a database accessed via JDBC or in a directory server accessed via LDAP see http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html

Weblogic

Before you begin configuring role security for Weblogic Application Server, it is recommended that you read the 'Manage users and groups' discussion at http://edocs.bea.com/wls/docs92/ConsoleHelp/taskhelp/security/ManageUsersAndGroups.html and 'Use roles and policies to secure resources' at http://edocs.bea.com/wls/docs92/ConsoleHelp/taskhelp/security/AddUsersToRoles.html.

Launch and login to the WebLogic Server Administration Console at http://<SERVERNAME>:7001/console.
In the left pane select Security Realms.
On the Summary of Security Realms page select the name of the realm (for example, myrealm).
On the Settings for Realm Name page select Users and Groups > Users. Click New.
On the Create New User page enter a username, password and optionally a description (e.g. the user's full name).
WARNING: User names are case sensitive and must be unique. Do not use commas, tabs or any other characters in the following comma-separated list: < >, #, |, &, ?, ( ), { } The minimum password length for a user defined in the WebLogic Authentication provider is 8 characters. Do not use the username/password combination weblogic/weblogic in production.
In the Provider drop-down list, select which Authentication provider's database should store information for the new user.
Re-enter the password for the user in the Confirm Password field.
Click OK to save your changes. The user name appears in the User table.

For more efficient management, BEA recommends adding users to groups:

To create groups:

In the left pane select Security Realms.
On the Summary of Security Realms page select the name of the realm (for example, myrealm).
On the Settings for Realm Name page select Users and Groups > Groups.
In the Groups table click New.
In the Name field of the Create New Group page, enter the name of the group. Groups names are case sensitive and must be unique. BEA recommends using initial capitalization and plural names for groups, for example, Administrators. Do not use commas, tabs or any other charaters in the following comma-separated list: < >, #, |, &, ?, ( ), { }
Optionally, in the Description field, enter a short description of the group (for example, Product Managers for Code Examples).
In the Provider drop-down list, select which Authentication provider's database should store information for the new group.
Click OK to save your changes and to display the group name in the Group table. After you create a group, you can add users or make the group a member of another group. You can nest groups by adding a group to one or more parent groups.

To add users to groups

In the left pane select Security Realms.
On the Summary of Security Realms page select the name of the realm (for example, myrealm).
On the Settings for Realm Name page select Users and Groups > Users.
In the Users table select the user you want to add to a group.
On the Settings for User Name page select Groups.
Select a group or groups from the Available list box.
To add a user to a group, click the right arrow to move the selection to the Chosen list box. Click Save.

To add users to roles

In the left pane of the Administration Console, select Security Realms.
On the Summary of Security Realms page, select the name of the realm that contains the role definition (for example, myrealm).
On the Settings page, select the Roles and Policies tab. Then select the Roles subtab.
Access the role's Edit Role page. In the Roles table, in the Name column, expand the Global Roles node.
In the Name column, expand the Roles node.
In the role's Role Conditions column, click the View Role Conditions link.
If the Role Conditions column is empty, select the radio button next the to the role's Name column. Then click the Edit Role button.
On the role's Edit Role page, create a role condition that adds a user to the role.
In the Role Conditions section, click Add Conditions.
On the Choose a Predicate page, in the Predicate List, select User, Group, or Role.
BEA recommends that you use the Group condition whenever possible. This condition grants the security role to all members of the specified group (that is, multiple users). For a description of all conditions in the Predicate List, see Security Role Conditions at http://edocs.bea.com/wls/docs92/secwlres/policy_statement.
Click Next. Enter a user or group name in the argument field, and click Add.
Click Finish. On the role's Edit Role page, click Save.

Websphere

Configuring security roles for applications takes place during application install.

Log in to the WebSphere console
Click Application > Install New Application.
While using the Install New Application Wizard, you'll be prompted to map security roles to users. Go to "Security role to user and group selections" under Application > Install New Application.
To configure security roles to user mappings of deployed applications, after deployment in Additional Properties, click Map Security roles to users to change user and group mappings to a role.
Click Applications > application_name > Map RunAs roles to users in the Additional Properties section.

For more details please see the IBM WebSphere User Guide at http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.exp.doc/info/exp/ae/usec_tselugrad.html

Sun Java System Application Server

Deploy the Web application:

Place the .war file in the directory <DRIVE>:\Sun\AppServer\domains\domain1\autodeploy\
Go to Control Panel > Administrative Tools > Services. Find the SunJavaSystemAppServer9PE service in the list and restart it.

The .war file will explode and create a web application with the name of the .war file. For example, after deploying the "parcels.war" file, you will see a web application listed as "parcels" in the Sun Java console.

To set up roles in Sun Java Application Server, perform the following steps:

Start the Sun Java System Admin Console by starting a web browser and browsing to http://localhost:4848/asadmin. If you changed the default Admin port during installation, enter the correct port number in place of 4848.
Log in to the Admin Console with the user name and password entered during installation.
In the menu tree on the left click on "Configuration" to expand the node.
Click on the node "Security".
On the left inside "Security" expand the node "Realms".
Click on the realm "file".
Choose "Class name for the realm..." and type the name of the role you set for your web application, for example Parcels.
Click the Manage Users button on the page on the right.
Click New to add one or more users.
Enter a User ID and Password, and type the Role name(s) you set for your web application in the Group field. Click OK to add this user to the list of users in the realm.
If the role names used in the application are the same as the group names defined on the Application Server, you can enable a default principal-to-role mapping on the Application Server using the Admin Console. From the Admin Console, select Configuration, then Security, then towards the bottom of the page check the enable box beside Default Principal to Role Mapping. Click Save.
Click Logout when you have completed this task.

JBoss

To deploy the Web application:

Place the .war file in the directory <JBoss_home>\server\default\deploy\
Go to <JBOSS>\bin\ and find the run.bat file. Shutdown JBoss by closing the console window if it's still open, then execute the run.bat file to restart JBoss

To configure security roles:

see http://www.juniper.net/techpubs/software/management/sdx/sdx50x/sw-sdx-sw-basics/html/web-app-installing5.html

Go to <JBOSS>/server/default/conf/ and open the file users.properties with Notepad. If it does not exist, create it and save it as "users.properties" (quotes included ensure that it does not append the .txt extension).

To provide access to the web application with the set role "Parcels"to the user "City" with password "government" follow these steps:

Add a line with the name and password of the user in the form user=<PASSWORD>, for example:
```
City=government 
        Anonymous=password
```
Save and close the file
Go to <JBOSS>/server/default/conf/ and open the file roles.properties with Notepad. If it does not exist, create it and save it as "roles.properties" (quotes included ensure that it does not append the .txt extension).
Add a line with the name of the user and the role associated with it in the form user=<ROLE>. You can associate multiple roles to the same user, for example:
```
City=Parcels 
  Anonymous=Other, Sample
```
Save and close the file
Go to <JBOSS>\bin\ and find the run.bat file. Shut down JBoss by closing the console window if it's still open, then execute the run.bat file to restart JBoss.

Oracle Application Server

To configure roles:

Login to the Oracle Enterprise Manager at http://localhost:8888/em
Go to the Administration tab
Click on the Go to Task for Security Provider under the Task Name 'Security'
Click on Instance Level Security
Choose the Realm tab
Click Create to create a new Realm
Provide a Name, Administrator Username and password, confirm the password and assign an Administrator Role. Click OK.
In the results table, find the Realm Name you want to edit and click on the number displayed in the Roles field to add one or more roles
Click Create to create a role.
Provide a Name and choose another available role if it should inherit settings. Click OK.
Click on the link for Instance Level Security at the top
In the results table, find the Realm Name you want to edit and click on the number displayed in the Users field to add one or more users.
Click Create to add more users.
Provide a Name and Password and confirm the password.
Choose an available role to assign it. Click OK.

Once roles have been configured, deploy your Web application:

Place the /war file in the directory <DRIVE><OAS_HOME>\j2ee\home\applications
Log in to the Oracle Enterprise Manager at http://localhost:8888/em
Go to the applications tab and Click Deploy
Choose "Archive is already present..." and type the location and name of the .war file, for example <OAS_HOME>\j2ee\home\applications\parcels.war
Verify "Automatically create a new deployment plan" is selected
Click Next to get to Step 2 of 3
Type the name of the application, for example Parcels
Verify the Context Root field has the correct name
Click Next to get to Step 3 of 3
On the Step 3 of 3 page of the "Deploy: Deployment Settings" page, click on the pencil symbol under the Go To Task column for Map Security Roles
Click on the pencil symbol in the Map Role field
Type the name of the user or group you want to add and click Add. You may repeat this steps for all users and groups you want to add.
Click Continue
Click OK to close the Map Security Roles window
Click Deploy
Logout of the Enterprise Manager
Restart OAS for the changes to take effect.