Securing Web Applications

At 9.3, you can secure web applications using Manager. This login level security will allow access to only those users who belong to roles that have permissions to the web application.

You set permissions on web applications by clicking the 'Web Application Permissions' icon on a particular web application. This will open a dialog which will let you configure the roles you want to grant access to the application.

ArcGIS Server at 9.3 provides 2 authentication schemes to secure your web applications namely the Java EE Container Managed Authentication and ArcGIS Authentication.

Java EE Container Managed Authentication

The internal Java EE application container in which the web application is deployed will provide a login control. The login control can be either 'Basic' (plain text password over the wire) or 'Forms' (the container uses a web page to accept usernames and passwords) based. In the above case, the internal container will authenticate the user and authorize his access by communicating with the default database.

Note**: Java EE Container Managed Authentication for web applications deployed in the internal application container is available only when the Security Store is configured to use the default database. This is because the internal application container is hooked up with the default database.

ArcGIS Authentication

Here, the web application will expose a web page for users to log into. The implementation will look up the user and role information from the configured Security Store and authenticate and authorize the user.

The screenshot below shows the dialog for applying permissions on the web application.

Note**: Special Roles are not available while setting permissions on web applications.

Exporting Secured Web Applications

At 9.3, web applications created in Manager can be exported (into a '.WAR' format) along with their security configurations. You can configure the web application to use either the Java EE Container Managed Authentication or the ArcGIS Authentication.

The screeshot below shows the web page for exporting a web application with security configuration.

You begin enabling security on your web application by checking the 'Enable Security' checkbox. If you don't want to secure you web applications, you must leave this checkbox un-checked and proceed to export.

Manager will populate the 'Role Name' text box with all the roles that currently have permission to access this web applications. You can edit the roles this comma separated list and add/delete roles. Ideally, the list of roles must be synchronized between a development and production system.

You then need to choose between Java EE Container Managed Authentication and ArcGIS Authentication.

Java EE Container Managed Authentication

Here, the list of allowed roles are written to the web applications WEB.XML (deployment descriptor). The application container in which the web application is deployed will challenge the user based on chosen format (Basic, Forms or Digest). The user and role information must be present in the application container's realm for the authentication and authorization to work.

Note**: You need to configure your application container with an appropriate realm of users and roles. Please see the container documentation on how to setup a realm of users and roles.

ArcGIS Authentication

Here, the web application will expose a web page for users to log into. You can configure the user and role store which the web application will use to authenticate and authorize incoming requests.