Internet security overview
ArcGIS Server enables you to secure your Web applications and Web services by using the Role Based Access Control (RBAC) security model. To configure and administer this security model, it is important to understand how the various components that make up this model interact with one other.
The following sections of this topic explain the ArcGIS Server security model in detail. Each section begins with an overview of a security component, then explains how the component fits into the security workflow
Security model overview
This section provides a conceptual overview of the various functional components and how they fit into the security model.
The illustration below provides a visual overview of the ArcGIS Server security model.
 |
Principal store
The principal store is a repository of ArcGIS Web service users and their associated roles. In the ArcGIS Server Role Based Access Control system, users are not assigned permissions to an ArcGIS Web service directly. Instead, the privilege to access a certain Web service is assigned to a specific role. ArcGIS Web service users are assigned one or more roles and through those role assignments acquire the permissions to access a particular Web service. Each user acquires the privileges of all the roles that have been assigned to him/her.
ArcGIS Server can work with a variety of stores to maintain user and role information. You can use a relational database (for example, Microsoft SQL Server or MySQL) or a directory server (for example, LDAP or Microsoft's Active Directory). You can also configure ArcGIS Server security to access existing users and roles from a proprietary store by developing custom extensions (using the ArcGIS principal store API) and setting it up so that ArcGIS Server Manager will connect to your proprietary store through your extension.
The token service will connect to the configured principal store for user authentication. The service handlers (for example, REST and Web service handlers) will also look up the principal store for role information associated with a user. Using Manager, you can manage user and role information in your stores.
For more information on how to configure and use the principal store, see Overview of configuring the security store.
For more information on how to write extensions using the principal store API, see Extending the principal store.
Permission store
The permission store is a repository of privileges that have been assigned to the roles. It stores information regarding the list of ArcGIS services that are accessible to a particular role.
The permission store is maintained by the server object manager (SOM). You don't have to explicitly configure and maintain it. The permission store also exposes an API that allows access to developers.
For more information on how to set up permissions on your ArcGIS Web services and applications, see Securing Web services and Securing Web applications.
Authentication schemes
When the GIS server has secured its published Web resources, any Web client who wishes to consume these resources must provide valid credentials while accessing the resource. ArcGIS Server supports two different authentication schemes to validate user credentials.
Authentication schemes for Web services
ArcGIS Managed Authentication based on tokensWeb clients must provide a token when they want to access an ArcGIS Web service that has been secured using ArcGIS Managed Authentication. Tokens can be acquired from a token service installed by the ArcGIS Server. Each token is an identity for the user. The service handlers are updated to process this token and authenticate the client user.
Clients like ArcCatalog or Web applications built using Manager are capable of seamlessly consuming ArcGIS Web services that have been secured using ArcGIS Managed Authentication. You don't need to explicitly get tokens from a token service when working with these clients.
JavaScript clients powered by the REST API can also seamlessly consume secured services.
For more information on working with tokens, see Tokens and token services.
Java Enterprise Edition Container Managed AuthenticationWeb clients attempting to consume an ArcGIS Web service that has been secured using Java Enterprise Edition Container Managed Authentication will be challenged by the Web container to provide authentication credentials.
Here, the service handlers (for example, REST and Web service handlers) are secured by the Web container in which they are deployed. Most Web containers support different authentications schemes such as BASIC, DIGEST, client certificates, and so on.
Authentication schemes for Web applications
ArcGIS Managed Authentication based on login controlA Web application that has been secured using this authentication mechanism will display an HTML login page when you attempt to access the application. Once you have entered your credentials, the login control will validate the information provided with the user credentials in the principal store that has been configured for the application. You will be granted access to this application only if you belong to a role that has been given permission to access this application by the GIS administrator.
For more information on how to secure Web applications, see Securing Web applications.
Java Enterprise Edition Container Managed AuthenticationIn this case, the Web container in which the application is deployed will challenge you for your credentials. The container will then authenticate your credentials with the user information in its configured realm and authorize your access.
You need to explicitly set up your Web container with an appropriate realm that contains user and role information.
For more information on how to secure Web applications, see Securing Web applications.
Token service
To seamlessly support scripting clients, ArcGIS Server uses token-based access to secured ArcGIS Web services. Tokens encapsulate the identity of a particular requesting principal (user) and are granted by a token service that is installed as a part of ArcGIS Server.
The token service will communicate with the configured principal store to authenticate incoming requests for tokens. ArcGIS Server is capable of deciphering these tokens and granting role-based access to requested resources.
The token service is a part of the ArcGIS managed authentication for securing ArcGIS Web services.
Tokens can be requested by using the token service URL or by using the Web page. JavaScript application developers need to fetch a token and use it in their applications that are consuming a secured ArcGIS Web service.
For more information on working with tokens, see Tokens and token services.
Security for ArcGIS Web services
ArcGIS Web services are secured using a role-based access control mechanism. You can set permissions on services using Manager. When security is enabled on the GIS server only those users belonging to roles that have permissions to access the GIS services will be granted access.
To secure your ArcGIS Web services, you have a choice of authentication schemes between the ArcGIS Managed Authentication based on tokens and the Java Enterprise Edition Container Managed Authentication (described above).
For more information on how to secure Web applications, see Securing Web applications.
Security for Web applications
Web applications created in Manger can be secured by using the ArcGIS Managed Authentication or by using Java Enterprise Edition Container Managed Authentication (described above).
You can assign a particular set of roles permissions to access the Web application. Only users belonging to these roles will be allowed access to the application.
For more information on how to secure Web applications, see Securing Web applications.