Securing Web applications
Using the ArcGIS Server Manager, you can secure Web applications to allow access only to users who belong to specific roles.
You set permissions for a Web application by clicking its Permissions icon. This opens the Web Applications permissions dialog box, which is used to specify the roles that will be allowed access to the application.
ArcGIS Server provides two authentication schemes to secure your Web applications: the Java Enterprise Edition Container Authentication and ArcGIS Authentication.
Java Enterprise Edition Container Managed Authentication
The internal Java Enterprise Edition application container in which the Web application is deployed controls access by using a login control. The login control can be either Basic (plain text password over the wire) or Forms based (the container uses a Web page to accept user names and passwords). The Java Enterprise Edition application container will authenticate the user using the credentials stored in the out-of-the-box Derby database and authorize his/her access.
Note:Java Enterprise Edition Container Managed Authentication for Web applications deployed in the internal application container is available only when the security store is configured to use the out-of-the-box default database.
ArcGIS Authentication
Here, the Web application will expose a Web page for users to log in to. The implementation will look up the user and role information from the configured security store and authenticate the user.
Note:Exporting Secured Web Applications
Web applications created in the ArcGIS Web Manager can be exported into a .war file along with their security configurations. You can configure the Web application to use either the Java Enterprise Edition Container Managed Authentication or the ArcGIS Authentication.
The screen shot below shows the Web page for exporting a Web application with security configuration.
 |
You begin enabling security on your Web application by checking the Enable Security check box. If you don't want to secure your Web application, you must leave this check box unchecked and proceed to export.
Manager populates the Role Name text box with all the roles that currently have permission to access this Web application. You can edit the roles in this comma-separated list and add/delete roles. Ideally, the list of roles must be synchronized between a development and production system.
You then need to choose between Java Enterprise Edition Container Managed Authentication and ArcGIS Authentication.
Java Enterprise Edition Container Managed Authentication
Here, the list of allowed roles are written to the Web applications WEB.XML (deployment descriptor). The application container in which the Web application is deployed will challenge the user based on chosen format (Basic, Forms, or DIGEST). The user and role information must be present in the application container's realm for the authentication and authorization to work.
Note:ArcGIS Authentication
When using ArcGIS Authentication, the Web application will expose a Web page for users to log in to. You can configure the user and role store that the Web application will use to authenticate and authorize incoming requests.