Restricting access to ArcIMS services expand/collapse all
Related Topics

Enabling authentication with a file-based ACL

Enabling authentication with a jdbc-based ACL

ACL attribute reference

expand/collapse item About restricting ArcIMS services

The ArcIMS Servlet and Java Connectors allow you to define the access privileges for specified services. As an administrator to an ArcIMS site, you can:

When a request is received from a client, the Servlet or Java Connector checks to see if there are any restrictions on access to the service. If there are, the necessary information is obtained from the client, such as a username and password, to determine whether the access criteria are met. If so, the request is sent on to the Application Server. Otherwise a message is returned to the client indicating that access is denied. This process is called authentication.

You define the access privileges for specific ArcIMS services within an Access Control List (ACL). By default, authentication is disabled and all requests are processed. The Servlet Connector uses the ACL to designate restricted and non-restricted services and the authentication criteria required to access them. The ACL may take one of two forms: a file-based ACL or a Java Database Connectivity (JDBC)-based ACL.

The main advantage of a file-based ACL is that it is easy to create and requires no additional components. A file-based ACL stores permissions in an XML file that you create using any text editor. Within the file, you specify which services are restricted and how to access them, for example, what username and password to use. The contents of the file are loaded into memory when the servlet initializes. Thus, if you edit your ACL file, you need to stop and restart the servlet engine (or Web server if the servlet engine is native to the Web server) to see your changes take effect. Additionally, increasing the number of users defined in your ACL file also increases the amount of memory usage on the Web server machine.

With a jdbc-based ACL, you store permissions in a relational database management system (RDBMS) accessed through a JDBC driver. A JDBC-based ACL can better manage larger numbers of users and services than a file-based ACL. Also, if you frequently modify the ACL, changes are picked up immediately without interrupting service, as the servlet engine does not need to be restarted. In order to use a JDBC-based ACL, you must have a RDBMS (e.g., Oracle, SQL Server) running with an appropriate JDBC driver. Refer to the JDBC Web site or your relational database documentation for information on JDBC driver configuration.

The ACL is referenced by the Servlet Connector property file named Esrimap_prop or the Java Connector property file named As you set up authentication, you will be working with both Esrimap_prop or and the ACL file.

Esrimap_prop common properties

Esrimap_prop contains a set of common properties whether a file-based or jdbc-based ACL file is used. The common properties are discussed here. The properties specific to an ACL file type are discussed in more detail in file-based ACL and jdbc-based ACL.

Common Esrimap_prop properties


This value must be set to True for authentication to work.


Specifies the authentication method for transmitting the username and password from the client to the server. The two methods available are basic authentication and digest authentication.

Basic authentication uses base64-encoding to transmit the username and password from the client to the server. This means that anyone who can intercept the transmission can determine the username and password.

Digest is more secure and is the recommended value. It provides a higher level of security because the username and password is not transmitted over the Internet. Digest is required for publishing metadata to a Metadata Service.


Enables authentication with sessions. If set to True, and based on browser settings, session information may be stored in the form of a cookie by the browser. The duration of the session is the approximate time of the sessionTimeout property. If set to False, session information is not enabled.


Session duration in seconds. Used when authenticateWithSessions is set set to True. Specifies the length of time to maintain a session between the client and Servlet Connector. If this property is omitted, the default value is 120 seconds. For most applications, the default value will be adequate.

realm=ArcIMS Network

Identifies what the username and password are being requested for. Generally it is useful to have the same realm name for Web sites using the same access control list. The realm name is given with the password prompt. If not specified, realm defaults to "ArcIMS Network".

Search code: @security_restrict_services