Enabling authentication with a file-based ACL expand/collapse all
Related Topics

Restricting access to ArcIMS services

ACL attribute reference

Enabling authentication with a jdbc-based ACL

expand/collapse item About enabling authentication with a file-based ACL

You can restrict services by storing permissions in an XML file. Before setting up this file, see Restricting access to ArcIMS services for an overview of authentication.

You need to make edits to the following files:

  1. If you are using the Servlet Connector, you must edit Esrimap_prop.

    If you have a Web application that uses the Java Connector, you must edit authenticate.properties.

    One property in either file is specific to the file-based access control list (ACL):

    aclFileName=
    Specifies the path and filename to the ACL file.

  2. The ACL file itself. This file is in XML format. Each entry starts with a USER tag. The following example shows some common ways to restrict services. For a description of all attributes, see the ACL attribute reference.


    <?xml version="1.0"?>
    <AIMSACL>

    <!-- The following sample has two unrestricted services (SanFrancisco, World) and restricted service (SecretData). The unrestricted services use an asterix for the name, and a user is not required to type in a password. -->
    <USER name="*" services="SanFrancisco, World" />
    <USER name="private" password="pass.word" services="SecretData" />

    <!-- The following sample shows how to further restrict service access to particular machines. -->
    <USER name="private" password="pass.word" services="SecretData" trustedclients="198.102.62.1,198.102.62.22"/>

    <!-- The following sample adds a user who can access all services, the account never expires and the account is active. -->

    <!-- The following sample adds a user who can access service "free", the account never expires, the account is active but the arcxml tag "GET_FEATURES" is forbidden to this user. -->

    <USER name="new" password="new" services="free" expiration="*" active="1" forbiddentags="GET_FEATURES"/>

    </AIMSACL>

    Things to keep in mind when setting up an ACL file:

    • Usernames and passwords are case sensitive.
    • Service names specified in the ACL file should match the case of the names in Administrator.
    • Only those services listed in the ACL file will be available to a client, even if you have other services running in Administrator.

expand/collapse item How to set up a file-based ACL

expand/collapse item Setting up a file-based ACL

  1. Author your map file and design your Web site.

    Create your configuration file (AXL) and then design the look of the Web site with Designer. Note: Designer is not able to access restricted services; thus, you should design your Web site before restricting access to a service.

  2. Edit properties in Esrimap_prop or authenticate.properties.

    If you are using the Servlet Connector, locate Esrimap_prop installed in your Web server's servlet directory and edit it with a text editor. See Common servlet engine file locations for a list of common Web servers and their servlet directory location.

    Note: ArcIMS installs a backup copy of all the files that comprise the Servlet Connector in \Connectors\Servlet on Windows or /Middleware/Servlet_Connector on UNIX and Linux. You should not edit the Esrimap_prop file at this location because it will have no impact on the operation of the Servlet Connector.

    Set the properties as shown below. You can set many of these properties by removing the comment character (#) before them. The properties are case sensitive but the values assigned to the properties are not case sensitive.


    enable=True
    authenticate=True
    authMethods=Digest
    authenticateWithSessions=True
    sessionTimeout=120
    aclFileName=/aimsacl.xml
    realm=ArcIMS Network

    If you have a Web application using the Java Connector, locate authenticate.properties in the Web application's WEB-INF/classes directory.

    Set the properties as shown below.


    authenticate=True
    aclFileName=/aimsacl.xml

    The value for aclFileName that all slashes must be forward slashes in the path name.

  3. Create the ACL XML file in a text editor.

    A sample ACL file named sample_aimsacl.xml is included in the documentation directory.

    Windows: <ArcIMS install location>\ArcIMS\Documentation
    UNIX and Linux: $AIMSHOME/documentation.

    The following sample ACL file has one restricted and two non-restricted services.


    <?xml version="1.0"?>
    <AIMSACL>
    <USER name="*" services="SanFrancisco, World" />
    <USER name="private" password="pass.word" services="SecretData" />
    </AIMSACL>

  4. Place the ACL file in the location you specified in aclFileName in Esrimap_prop or authenticate.properties. Be sure the file is named correctly as well.
  5. If you are using Windows and Internet Information Server (IIS), you need to configure IIS for authentication.
    1. On the taskbar, click Start | Settings | Control Panel | Administrative Tools | Internet Services Manager.
    2. In the left panel, double-click the machine name to expand the tree.
    3. Double-click Default Web Site.
    4. If you're running ServletExec or JRun as your servlet engine, double-click Scripts. If you're running Tomcat, double-click Jakarta.
    5. In the right panel, right-click ServletExec_ISAPI.dll, jrun.dll, or isapi_redirect.dll (for ServletExec, JRun, and Tomcat respectively) and click Properties.
    6. Click the File Security tab.
    7. Click Edit for Anonymous access and authentication control.
    8. Uncheck both Integrated Windows authentication and Digest authentication. Click OK.

    Note: Windows XP users may find Digest authentication turned on, but grayed out and unable to be deactivated. In this case, contact ESRI technical support.

  6. Stop and start the servlet engine. If the servlet engine is native to the Web server, stop and start the Web server. This allows your edits to take effect.



Search code: @security_file_acl