Securing Web applications |
|
Release 9.3.1 |
You can use Manager to restrict access to ArcGIS Server Web applications. When you enable security on an application, only users in permitted roles can access the application.
Before you set security on applications, be sure that you've set up your user and role stores and that you've added at least one user and one role. For instructions, see Overview of setting up users and roles.
To set rules on who can access a Web application, follow these steps:
This section only applies if the users of your ArcGIS Server instance are Windows users. In this case, the user's identity must be verified by the IIS Web server. In order for IIS to be able to authenticate the user, at least one authentication method must be enabled for the secured Web application.
Your installation of IIS may already have one or more authentication methods enabled by default. But you should verify that at least one authentication method is enabled. If no authentication method is enabled, then users will be denied access to the Web application.
To set the authentication methods for the Web application on Windows XP or Server 2003:
To set the authentication methods for the Web application on Windows Vista or Server 2008:
For more information on authentication methods, see Choosing an authentication method in this Help. Also see IIS documentation and other resources such as the MSDN page Authentication Methods Supported in IIS 6.0.
ASP.NET stores security information for a Web application in its web.config file (users and roles are usually stored separately, in providers specified in the web.config file). Manager uses this approach for authorization for Web application (though not for GIS Web services; see Securing Internet connections to services). You can view this information, but if you change it, Manager may no longer be able to manage security for your application.
Permission rules for Web applications are stored in the standard authorization format for ASP.NET applications. The rules are stored in the web.config file within the standard <authorization> element.
If you edit authorization rules in web.config, either manually or with the Web Site Administration Tool (WSAT), you should follow these guidelines:
<allow users="Admins, Planning" />Instead, create two equivalent rules:
<allow users="Admins" /> <allow users="Planning" />
If these guidelines are not followed and you later edit security with Manager, the access rules in web.config can be incorrectly read and might be overwritten. If you do not intend to use Manager to configure security for the Web application, then you can, of course, use any valid ASP.NET authorization configuration desired.
The security configuration for Web applications created in Manager is compatible with the Web Site Administration Tool (WSAT). WSAT is a Microsoft utility that allows you to manage users and roles and configure access rules for Web applications. You can access WSAT from Visual Studio 2005.
WSAT allows you to choose between two forms of authentication: Windows ("From the Internet") and Forms ("From a local network"). If you change the authentication type in WSAT after Manager has created its security configuration, it may not be possible to edit application security in Manager. If that occurs, you must continue to use WSAT to manage security, or edit the web.config file directly.
The location of users and roles is specified by the authentication type and by the provider configuration. You can view the configuration in WSAT, but if you change it, Manager may not be able to manage security.
See the previous section Authentication and authorization in the web.config for guidelines for editing the authorization rules.