Enabling authentication with a JDBC-based ACL expand/collapse all
Related Topics

Restricting access to ArcIMS services

ACL attribute reference

Enabling authentication with a file-based ACL

expand/collapse item About enabling authentication with a JDBC-based ACL

You can restrict services by storing permissions in a JDBC-based set of data tables. Before setting up these tables, see Restricting access to ArcIMS services for an overview of authentication.

ArcIMS relies on JDBC drivers for connecting to a relational database. On the Windows platform, Open DataBase Connectivity (ODBC) is a common, freely-available solution used for database access. You can connect to a JDBC-based database through a JDBC-ODBC Bridge, which allows Java programs such as the ArcIMS Servlet Connector to use JDBC with many ODBC drivers. Common databases are Microsoft Access and SQL Server.

All platforms support a direct JDBC connection to a database. The required drivers can be found at the corresponding software manufacturer support sites. When using these drivers, ensure that the driver is available in the servlet engine's common library directory (common/lib). Typically, a set of JAR files associated with the JDBC drivers needs to be copied into this directory.

The procedure for setting up authentication using a JDBC-based ACL is:

  1. Edit the property file for the connector you are using. If you are using the Servlet Connector, you must edit Esrimap_prop. Applications that use the Servlet Connector include the HTML and Java Viewers, ArcExplorer-Java, ArcMap, and ArcPad. If you have a Web application that uses the Java Connector, you must edit authenticate.properties. This includes Metadata Explorer and other custom applications that use the Java Connector.
  2. Set up the database for storing ACL information.

When enabling the JDBC-ODBC bridge to implement ArcIMS authentication with an Oracle or SQLServer database, the JDBC-ODBC connection cannot be restored without restarting the Servlet Engine when the physical connection becomes unavailable. An example is when the database is taken off-line for backing up.

expand/collapse item How to set up a JDBC-based ACL

expand/collapse item Setting up a JDBC-based ACL

  1. Author your map file and design your Web site.

    Create your configuration file (AXL) and then design the look of the Web site with Designer. Note: Designer is not able to access restricted services; thus, you should design your Web site before restricting access to a service.

  2. Edit general properties in Esrimap_prop if you are using the Servlet Connector.

    Locate Esrimap_prop installed in your Web server's servlet directory and edit it with a text editor. See Common servlet engine file locations for a list of common Web servers and their servlet directory location.

    Note: ArcIMS installs a backup copy of all the files that comprise the Servlet Connector in \Connectors\Servlet on Windows or /Middleware/Servlet_Connector on UNIX and Linux. You should not edit the Esrimap_prop file at this location because it will have no impact on the operation of the Servlet Connector.

    Set the properties as shown below. You can set many of these properties by removing the comment character (#) before them. The properties are case sensitive but the values assigned to the properties are not case sensitive. The following values are recommended.

    enable=True
    authenticate=True
    authMethods=Digest
    authenticateWithSessions=True
    sessionTimeout=120
    realm=ArcIMS Network

  3. Edit JDBC properties in Esrimap_prop or authenticate.properties.

    If you have a Web application that uses the Java Connector, you must edit authenticate.properties instead of Esrimap_prop. The authenticate.properties file is located in the Web application's WEB-INF/classes directory.

    Set the common properties as shown below for either Esrimap_prop or authenticate.properties.

    useJdbc=True
    JdbcDriver=<name of the JDBC driver>
    • On Windows, if you are using a database with a JDBC-ODBC Bridge, the value is sun.jdbc.odbc.JdbcOdbcDriver
    JdbcUrl=<url>
    • Microsoft Access and SQL Server example when using a JDBC-ODBC Bridge and the data base source is "arcims_acl" - JdbcUrl=jdbc:odbc:arcims_acl
    • SQL Server example - JdbcUrl=jdbc:microsoft:sqlserver://servername:1433
    • DBF example - JdbcUrl=jdbc:DBF:/C:/arcims/middleware/secureesrimap
    • Oracle example - JdbcUrl=jdbc:oracle:oci8:@s2315.mymachine.com
    JdbcUser=<database username>
    • For Microsoft Access, a username is not required.
    JdbcPassword=<database username's password>
    • For Microsoft Access, a username is not required.
    JdbcUserTable=<database table name>
    • Recommended value - acl_users
    JdbcPermTable=<database table name>
    • Recommended value - acl_permissions
    JdbcUidColumn=<database table column name>
    • Recommended value - userid

  4. Save Esrimap_prop or authenticate.properties.
  5. Create an empty database.

    If you are using Microsoft Access, you should place the file on the same machine as the Servlet or Java Connector, depending on which connector you are using.

    If you are using SQL Server, start Enterprise Manager/Management Studio and create a new database named "ArcIMS_ACL".

  6. Create a user table named acl_users in the relational database.

    The name of the table should be the same as the name you specified for JdbcUserTable, and "acl_users" is the recommended value. This table contains the list of usernames and passwords for the services. It also contains a unique user ID that ArcIMS will use to relate this table to the permissions table. The table should contain the following columns:

    Column name Datatype (width) Microsoft Access database types
    userid number (32) Data type "Number", Field size "Long Integer", Format "General Number", and Decimal Places "0"
    username varchar (64) Data type "Text", Field size "64"
    password varchar (64) Data type "Text", Field size "64"

    For added flexibility, you can name the user ID column anything you want, as long as it's the same name you specified for JdbcUidColumn. The recommended value is "userid". The other two columns should be named "username" and "password".

  7. Add records to the user table in the relational database.

    Populate the user table with usernames and passwords. Make sure the userid is unique. You can use an asterisk (*) to indicate services that all clients can access without entering a username and password.

    userid username password
    1 myuser mypassword
    2 aUser aPassword

  8. Create a permissions table named acl_permissions in the relational database.

    The name of this table should be the same as the name you specified for JdbcPermTable, and the recommended value is "acl_permissions". This table associates each Service with one or more usernames and passwords and contains the following columns:

    Column name Datatype (width) Microsoft Access database types
    userid number (32) Data type "Number", Field size "Long Integer", Format "General Number", and Decimal Places "0"
    service varchar (64) Data type "Text", Field size "64"
    active number (32) Data type "Number", Field size "Long Integer", Format "General Number", and Decimal Places "0"
    expiration date (format 'MM/DD/YYY HH:MM:SS') Data type "Date/Time", Format "General date"
    tclients varchar (1024) Data type "Memo"
    ftags varchar (1024) Data type "Memo"
    roles varchar (1024) Data type "Memo"

    The user ID column name should match the name you specified in the user table and for JdbcUidColumn. The other columns should be named as shown above.

    For a complete description of all columns, see the ACL attribute reference.

  9. Add records to the permissions table in the relational database.

    Populate the permissions table with the user ID, service names, and active state. Each record may contain only one service name. The user ID relates the service to the username and password. You can enter additional records with the same user ID to associate more than one service with a particular username and password. The table below shows a basic configuration of the permissions table.

    userid service active expiration tclients ftags roles
    1 SanFrancisco 1
    2 Map1 1 GET_FEATURES metadata_browser
    2 Map2 1 metadata_publisher

    You can optionally fill in the other columns to add additional restrictions on the service. For example, you might add an expiration date (10/16/2001 11:24:30), a comma-separated list of trusted clients by IP address (198.102.62.1,198.102.62.22) and a comma-separated list of forbidden tags (GET_GEOCODE,GET_EXTRACT).

  10. If you are using an Access database with a JDBC-ODBC Bridge, follow these steps. Otherwise, skip this step.
    • Start the ODBC Administrator on the same machine where the ArcIMS Servlet Connector is installed. Click Start > Settings > Control Panel > Administrative Tools > Data Sources (ODBC).
    • In the ODBC Administrator dialog box, select the tab 'System DSN' (Data Source Name) and click Add.
    • Select Microsoft Access Driver and click Finish.
    • A setup dialog box for a new system DSN should appear. Enter the Data Source Name: 'arcims_acl' and click Select in the 'Database' section of the dialog box. Navigate to your Microsoft Access database file created in Step 5.
    • Click OK and confirm that 'arcims_acl' system DSN was added to the ODBC Administrator.
  11. If you are using SQL Server with a JDBC-ODBC Bridge, follow these steps. Otherwise, skip this step.
    • Start the ODBC Administrator on the same machine where the ArcIMS Servlet Connector is installed. Click Start > Settings > Control Panel > Administrative Tools > Data Sources (ODBC).
    • In the ODBC Administrator dialog box, select the tab 'System DSN' (Data Source Name) and click Add.
    • Select SQL Server and click Finish.
    • In the setup dialog box, enter the name 'arcims_acl' and the information required to connect to your SQL Server instance. Select the SQL Server authentication and put in the username and password of the user required to connect to SQL Server.
    • Select your SQL Server database created in Step 5.
    • Confirm that the connection was added to the 'System DSN' tab in the ODBC Administrator.
  12. If you are using Windows and Internet Information Server (IIS), you need to configure IIS for authentication.
    • On the taskbar, click Start | Settings | Control Panel | Administrative Tools | Internet Services Manager.
    • In the left panel, double-click the machine name to expand the tree.
    • Double-click Default Web Site.
    • If you're running ServletExec or JRun as your servlet engine, double-click Scripts. If you're running Tomcat, double-click Jakarta.
    • In the right panel, right-click ServletExec_ISAPI.dll, jrun.dll or isapi_redirect.dll (for ServletExec, JRun, and Tomcat respectively) and click Properties.
    • Click the File Security tab.
    • Click Edit for Anonymous access and authentication control.
    • Uncheck both Integrated Windows authentication and Digest authentication. Click OK.

    Note: Windows XP users may find Digest authentication turned on, but grayed out and unable to be deactivated. In this case, contact ESRI technical support.

  13. Stop and start the servlet engine. If the servlet engine is native to the Web server, stop and start the Web server. This allows your edits to take effect.



Search code: @security_jdbc_acl