Securing Web applications

You can use Manager to restrict access to ArcGIS Server Web applications. When you enable security on an application, only users in permitted roles can access the application.

Before you set security on applications, be sure that you've set up your user and role stores and that you've added at least one user and one role. For instructions, see Overview of setting up users and roles.

To set rules on who can access a Web application, follow these steps:

1. Click the Applications tab in Manager to see a list of Web applications on your server.
2. Find the Web application for which you want to set security rules and click the Permissions (lock) icon. A Permissions dialog box appears that allows you to
   • Enable security for the application. If this box is unchecked, the other settings on the dialog box will be unavailable. If you uncheck this box, no restrictions will be applied for access to the application.
   • Permit a role to access the application. To add a role, choose the role from the available roles list on the left side. Then click Add to add the role to the permitted roles list.
   • Remove roles from the permissions list by selecting them and clicking Remove. The role will move to the available roles list. (Note: If the role has been deleted or is not present in the current role store, it will not be shown when the Permissions dialog box is re-opened.)
3. Once you have configured permissions, click Save to save the changes to the application's security. Click Cancel to abandon any changes to permissions for the application.
4. Only if the users of your ArcGIS Server are Windows users: enable at least one authentication method in the Internet Information Services Web server. See the next section for instructions.
5. If the users of your ArcGIS Server are in SQL Server or a custom provider, OR are Windows users and you enabled Basic authentication in the previous step: require that the application be used with https (SSL). This is essential to protect the transmission of passwords when users log in to your application.

Enabling authentication methods for the application

This section only applies if the users of your ArcGIS Server instance are Windows users. In this case, the user's identity must be verified by the IIS Web server. In order for IIS to be able to authenticate the user, at least one authentication method must be enabled for the secured Web application.

Your installation of IIS may already have one or more authentication methods enabled by default. But you should verify that at least one authentication method is enabled. If no authentication method is enabled, then users will be denied access to the Web application.

To set the authentication methods for the Web application on Windows XP or Server 2003:

1. Open IIS Manager from Start > Settings > Control Panel > Administrative Tools > Internet Information Services.
2. Navigate in the local computer's Web Sites to the Web site you secured in Manager (typically in the Default Web Site).
3. Right-click on the Web application folder and click Properties. The application's Properties dialog opens.
4. Click the Directory Security tab. Under Anonymous access and authentication control, click Edit... This opens the Authentication Methods dialog.
5. Check at least one of the methods under Authenticated access. See below for more information on authentication methods.

To set the authentication methods for the Web application on Windows Vista or Server 2008:

1. Open IIS Manager from Start > Settings > Control Panel > Administrative Tools > Internet Information Services Manager.
2. Expand the Sites node to the Web site you secured in Manager (typically in the Default Web Site), and expand the site to view Web applications.
3. Left-click on the Web application you want to secure to display its property links on the right side of IIS Manager.
4. Double-click on the Authentication item under the IIS group. This displays the authentication methods list for the application.
5. In the list of authentication methods, right-click on Anonymous Authentication, and in the context menu, click Disable.
6. Enable at least one of the other authentication methods. See below for more information on authentication methods.

For more information on authentication methods, see Choosing an authentication method in this Help. Also see IIS documentation and other resources such as the MSDN page Authentication Methods Supported in IIS 6.0.

Authentication and authorization in web.config

ASP.NET stores security information for a Web application in its web.config file (users and roles are usually stored separately, in providers specified in the web.config file). Manager uses this approach for authorization for Web application (though not for GIS Web services; see Securing Internet connections to services). You can view this information, but if you change it, Manager may no longer be able to manage security for your application.

Permission rules for Web applications are stored in the standard authorization format for ASP.NET applications. The rules are stored in the web.config file within the standard <authorization> element.

If you edit authorization rules in web.config, either manually or with the Web Site Administration Tool (WSAT), you should follow these guidelines:

• Use only <allow> rules. Manager does not use <deny> rules, except for the deny all users rule at the bottom of the rules list.
• Add only roles to rules. Manager does not support adding individual user accounts to rules.
• Add only a single role to any allow element. For example, the following rule should not be used:

  <allow users="Admins, Planning" />
  

  Instead, create two equivalent rules:

  <allow users="Admins" />
  <allow users="Planning" />
  

• Do not remove or edit the <deny users="all" /> rule. This rule must be last in the list.
• The order of rules does not matter, since only allow rules are used. The exception is that the deny all users rule must appear last in the list.

If these guidelines are not followed and you later edit security with Manager, the access rules in web.config can be incorrectly read and might be overwritten. If you do not intend to use Manager to configure security for the Web application, then you can, of course, use any valid ASP.NET authorization configuration desired.

Using the Web Site Administration Tool

The security configuration for Web applications created in Manager is compatible with the Web Site Administration Tool (WSAT). WSAT is a Microsoft utility that allows you to manage users and roles and configure access rules for Web applications. You can access WSAT from Visual Studio 2005.

WSAT allows you to choose between two forms of authentication: Windows ("From the Internet") and Forms ("From a local network"). If you change the authentication type in WSAT after Manager has created its security configuration, it may not be possible to edit application security in Manager. If that occurs, you must continue to use WSAT to manage security, or edit the web.config file directly.

The location of users and roles is specified by the authentication type and by the provider configuration. You can view the configuration in WSAT, but if you change it, Manager may not be able to manage security.

See the previous section Authentication and authorization in the web.config for guidelines for editing the authorization rules.