Common Security PassThrough

Purpose
This sample demonstrates how to pass the browser user's identity to the map service used in the Web application.
 
ArcGIS Server Manager (Manager) allows the creation of secure Web applications that require a login and secure geographic information system (GIS) services that require user credentials. The identity for the Web application is typically set separately from the identity for the GIS service used in the application. Usually, the identity for the GIS service is set at design time and is fixed for all users.
 
This sample, however, passes the end user's identity to the map service used in the application. If the end user is permitted for the map service, the map draws normally. If the user has not been granted permission, no map draws. Instead, a message displays noting that the user does not have access to the service.
 
This sample contains three Web applications for each language. Each application uses a different type of connection to the server, has a different location for user accounts, and has a different approach to logins.
 
You can install any one or all of the following applications (the <language> variable can be either CSharp or VBNet):
  • SecurityPassThrough_Forms_<language>—Uses an ArcGIS Server Internet connection to the map service. Users of this application are stored in a Microsoft SQL Server database or a custom location based on a custom .NET provider. Users log in to the application from a login form on a Web page (login.aspx). This approach can be used in applications made available over the Internet or on internal networks.



    This application stores the user's login information from the login page in the application's session. When the main page (default.aspx) loads, the application applies the login information to the identity for the map resource.
  • SecurityPassThrough_Win_<language>—Uses an ArcGIS Server local connection to the map service. Users of this application have Windows accounts on the local Web server or on the domain to which the server belongs. Users must also be members of the agsusers group on the server to view the map service. Users log in either through a pop-up login prompt or (in some cases) are automatically logged in. This approach is normally used for Web applications on internal networks.



    This application uses impersonation to set the identity of the application. This identity is set in the Global.asax file, so that impersonation is applied to all cases where a local connection to the GIS server is used. A local connection is made in both the Default.aspx page and the MapHandler, which serves map images to clients. The Global.asax Application_PreRequestHandlerExecute method performs impersonation for both cases. Impersonation is undone in the Application_EndRequest method, an important step for security reasons. Impersonation is done dynamically, rather than set in web.config, to improve security when using impersonation.
  • Common_SecurityPassThrough_WinInternet_<language>—Uses an ArcGIS Server Internet connection to the map service. Users of this application have Windows accounts on the local Web server or on the domain to which the server belongs. To view the map service, users must also be members of a role that has been permitted for the service in Manager. Users log in either through a pop-up login prompt or (in some cases) are automatically logged in. This approach is typically used for Web applications on internal networks and can be used as of version 9.3.1.



    This application uses impersonation to set the identity of the application. To show a different pattern, the impersonation is done in the ImpersonationModule.cs HttpModule. This module can easily be reused in other applications by adding it and the reference in the web.config, under the &lt;modules&gt; section. The Web application makes an Internet (Web service) connection to the GIS service. The identity value is removed from the MapResourceItem; instead, the Application Developer Framework (ADF) uses the current thread identity, which is the impersonated user's identity, to connect to the service.
The SecurityPassThrough_Forms_<language> and SecurityPassThrough_WinInternet_<language> applications require that security be enabled for services on the ArcGIS Server system. SecurityPassThrough_Forms_<language> requires that the location for users and roles be set to SQL Server or a custom provider. SecurityPassThrough_WinInternet_<language> requires that the users and roles be set to Windows users and groups. Because they require different user and role stores, SecurityPassThrough_Forms_<language> and SecurityPassThrough_WinInternet_<language> cannot be run on the same system without reconfiguring the user and role store location. For more information on configuring security for services, see the Internet security overview topic.

How to use

If the sample has associated data, you will find that the sample's zip file includes a "data" folder alongside the language folders. However, you will need to update the sample to point to the location of the data once you have extracted all the files.

At design time
  1. Verify that the Web ADF for the .NET Framework is installed and functioning properly. For information on installing and configuring the Web ADF, consult the installation guide.
  2. To use the SecurityPassThrough_Forms_<language> sample, use Manager to configure security. Set the user location to either SQL Server or a custom provider. Configure a service with permissions for roles so that a user in the system can access the service, while another user is not permitted to use the service. For more information, see the Internet security overview topic in the ArcGIS Server Help.
  3. To use the SecurityPassThrough_WinInternet_<language> sample, use Manager to configure security to Windows users and groups. Configure permissions for roles so that a user in the system can access the service, while another user is not permitted to use the service.
  4. In Windows Explorer, navigate to <ArcGIS Developer Kit install location>\Samples\ServerNET\Common_SecurityPassThrough.
  5. Open the folder of the language you're going to use—CSharp or VBNet—and copy the Common_SecurityPassThrough_<language> folder to c:\inetpub\wwwroot. The <language> variable can be either CSharp or VBNet.
  6. Open the IIS Manager from Control Panel > Administrative Tools > Internet Information Services (IIS) Manager or Internet Information Services.
  7. In the console tree view on the left, navigate to Local Computer > Web Sites > Default Web Site, expand Default Web Site to show the folders and applications in IIS, and set the Web site as an application in IIS Manager.
  8. Based on your operating system (OS), follow step 9 or 10 for each of the sample applications (SecurityPassThrough_Forms_<language>, SecurityPassThrough_Win_<language>, and SecurityPassThrough_WinInternet_<language>) extracted from the Zip file.
  9. If your OS is Windows XP, Server 2000, or Server 2003, right-click the sample application folder (SecurityPassThrough_Forms_<language>, SecurityPassThrough_Win_<language>), or SecurityPassThrough_WinInternet_<language>) and click Properties. The Properties dialog box opens. Click the Create button in the Application Settings section, then click OK to close the Properties dialog box. Repeat for the other application folders if you extracted multiple samples.
  10. If your OS is Windows Vista or Windows 7 or Windows Server 2008, right-click the sample application folder (SecurityPassThrough_Forms_<language>, SecurityPassThrough_Win_<language>), or SecurityPassThrough_WinInternet_<language>) and click Convert to Application. The Add Application dialog box opens. Click OK. Repeat this step for the other application folders if you extracted multiple samples.
  11. To use the SecurityPassThrough_Win_<language> or SecurityPassThrough_WinInternet_<language> application, set the authentication method in IIS Manager by following the steps in the Set authentication (Windows XP, Server 2000, or Server2003) or Set authentication (Windows Vista or Windows 7 or Windows Server 2008) section below (depending on your OS). If you select the Integrated Windows (or Windows) authentication option, users who access the application with Internet Explorer on a local network are automatically logged in without a login prompt. See ArcGIS Server Help for information on authentication methods, as well as the Impersonation and delegation with distributed installations section in the Additional information section below.
  12. Start Microsoft Visual Studio 2008 or 2010.
  13. To use the SecurityPassThrough_Forms_<language> sample application, see the Use SecurityPassThrough_Forms_<language> section below.
  14. To use the SecurityPassThrough_Win_<language> sample application, see the Use SecurityPassThrough_Win_<language> section below.
  15. To use the SecurityPassThrough_WinInternet_<language> sample application, see the Use SecurityPassThrough_WinInternet_<language> section below.

Set authentication (Windows XP, Server 2000, or Server2003)
  1. Right-click the SecurityPassThrough_Win_<language> or SecurityPassThrough_WinInternet_<language> application, and click Properties. The properties dialog box opens.
  2. Click the Directory Security tab, and click the Edit button in the Anonymous access and authentication control area. The Authentication Methods dialog box opens.
  3. Uncheck the Anonymous access check box, check one of the methods under Authenticated access, then click OK twice to close both dialog boxes.

Set authentication (Windows Vista or Windows 7 or Windows Server 2008)
  1. Click the SecurityPassThrough_Win_<language> or SecurityPassThrough_WinInternet_<language> application, and double-click the Authentication item on the right side of IIS Manager. The Authentication panel opens.
  2. Right-click Anonymous Authentication and click Disable.
  3. Enable at least one of the Basic, Digest, or Windows authentication options.

Use SecurityPassThrough_Forms_<language>
  1. Open the Common_SecurityPassThrough_<language><vs_version> solution (for example, Common_SecurityPassThrough_CSharp2008.sln) located in c:\inetpub\wwwroot\Common_SecurityPassThrough_<language>. The <vs_version> references the Visual Studio version of the solution, either 2008 or 2010.
  2. In Solution Explorer, expand the SecurityPassThrough_Forms_<language> Web site, right-click Default.aspx, and select Set As Start Page.
  3. Open the Default.aspx page in Design view, open the properties window for the MapResourceManager control, and click the ellipsis next to the ResourceItems property. The ResourceItem Collection Editor dialog box opens.
  4. Add or change the MapResourceItem to an ArcGIS Server map service available on your site using an ArcGIS Server Internet connection to the map service. This application will not function correctly with a local connection.
  5. Open the web.config file.
  6. From the Visual Studio menu, click File, click Open, click File, and open the c:\inetpub\wwwroot\ArcGIS\Security\web.config file.
  7. Copy and paste the <roleManager> and <membership> sections from the web.config file in the Security folder to the same location in the web.config file in the current application, and replace any existing sections of the same name. Copy the whole section, including closing tags (for example, </roleManager>).
  8. Copy the <connectionStrings> section if present. If you configured a custom provider for ArcGIS Server security, copy any custom settings, such as those in the <appSettings> section.
  9. Save the project.
  10. Click the Debug drop-down menu and click Start Debugging.
  11. Run the application by following the steps in the Run SecurityPassThrough_Forms_<language> section below.

Run SecurityPassThrough_Forms_<language>
  1. Browse to the viewer uniform resource locator (URL) (for example, http://localhost/Common_SecurityPassThrough_CSharp/SecurityPassThrough_Forms_CSharp). You are redirected to the login.aspx page.
  2. Enter a login for a user who is on the ArcGIS Server but who is not a member of a role permitted for the service. The user is logged in and the Default.aspx page opens. However, no map or TOC displays, and a note appears indicating that the user is not permitted for the service.
  3. Click Log Out. The application returns to the login page.
  4. Enter a login for a user who is in a role that is permitted for the service. The Default.aspx page opens, including the map and TOC. This confirms that the end user's identity was used to determine access to the map service.

Use SecurityPassThrough_Win_<language>
  1. Open the Common_SecurityPassThrough_<language><vs_version> solution (for example, Common_SecurityPassThrough_CSharp2008.sln) located in c:\inetpub\wwwroot\Common_SecurityPassThrough_<language>. The <vs_version> references the Visual Studio version of the solution, either 2008 or 2010.
  2. In Solution Explorer, right-click Default.aspx, and select Set As Start Page.
  3. Open the Default.aspx page in Design view, open the properties window for the MapResourceManager control, and click the ellipsis next to the ResourceItems property. The ResourceItem Collection Editor dialog box opens.
  4. Add or change the MapResourceItem to an ArcGIS Server map service available on your site using an ArcGIS Server local connection to the map service. This application will not function correctly with an ArcGIS Server Internet connection. Do not add an ArcGIS identity or otherwise set the identity of the application. The application will pass the browser user's identity to the map service.
  5. Save the project.
  6. Click the Debug drop-down menu and click Start Debugging.
  7. Run the application by following the steps in the Run SecurityPassThrough_Win_<language> section below.

Run SecurityPassThrough_Win_<language>
  1. Browse to the viewer URL (for example, http://localhost/Common_SecurityPassThrough_CSharp/SecurityPassThrough_Win_CSharp).
  2. If you're using Internet Explorer and are on the local network of the server, you are automatically logged into the site. Otherwise, log in at the pop-up command prompt.
  3. If your account is the agsusers group on the server, the map and TOC are displayed. If not permitted, a message indicating that the service may not be accessible is displayed. (The connection can also fail due to the service being down or network problems.)
  4. To see the opposite result from what you saw in the previous step, close and reopen a browser as a different user who is or is not in the agsusers group on the server. If you're using Internet Explorer, start the browser as a different user with the Runas command. In Windows XP or Server 2003, right-click a shortcut, click Runas, and enter another user's login. On Windows Vista or Windows 7 or Windows Server 2008, use Runas at the command line to start a browser, or download and install the ShellRunas utility from Microsoft.
  5. If no map draws and no error message displays, ensure that you are running the application through IIS (for example, http://localhost/Common_SecurityPassThrough_CSharp/SecurityPassThrough_Win_CSharp), rather than through the Visual Studio built-in server (a port number will appear in the URL when using the built-in server). The events in Global.asax do not occur properly with the built-in server, so the impersonation for the MapHandler is not performed correctly.

Use SecurityPassThrough_WinInternet_<language>
  1. Open the Common_SecurityPassThrough_<language><vs_version> solution (for example, Common_SecurityPassThrough_CSharp2008.sln) located in c:\inetpub\wwwroot\Common_SecurityPassThrough_<language>. The <vs_version> references the Visual Studio version of the solution, either 2008 or 2010.
  2. In Solution Explorer, right-click Default.aspx, and select Set As Start Page.
  3. Open the Default.aspx page in Design view, open the properties window for the MapResourceManager control, and click the ellipsis next to the ResourceItems property. The ResourceItem Collection Editor dialog box opens.
  4. Add or change the MapResourceItem to an ArcGIS Server map service available on your site using an ArcGIS Server Internet connection to the map service. This application will not function correctly with an ArcGIS Server local connection.
  5. Click the ellipsis button on the Identity line to add a login for a user who has permissions on a secured service, click the ellipsis button on the Resource line to select a secured service, then click OK to close the dialog box.
  6. Click the MapResourceManager control to select it, then switch to the Source view of the default.aspx page by clicking the Source tab at the bottom of the Visual Studio window. The MapResourceManager settings are highlighted.
  7. Find the Definition string for the map resource you added above, locate the Identity portion, and remove the encrypted string so that the Identity portion reads: Identity="".
  8. Save the project and all changes.
  9. Click the Debug drop-down menu and click Start Debugging.
  10. Run the application by following the steps in the Run SecurityPassThrough_WinInternet_<language> section below.

Run SecurityPassThrough_WinInternet_<language>
  1. Browse to the viewer URL (for example, http://localhost/Common_SecurityPassThrough_CSharp/SecurityPassThrough_WinInternet_CSharp).
  2. If you're using Internet Explorer and are on the local network of the server, you are automatically logged into the site. Otherwise, log in at the pop-up command prompt.
  3. If your account is a group that was permitted for the service in Manager, the map and TOC are displayed. If not permitted, a message indicating that the service may not be accessible is displayed. (The connection can also fail due to the service being down or network problems.)
  4. To see the opposite result from what you saw in the previous step, close and reopen a browser as a different user who is or is not in the permitted group for the service. If you're using Internet Explorer, start the browser as a different user with the Runas command. In Windows XP or Server 2003, right-click a shortcut, click Runas, and enter another user's login. On Windows Vista or Windows 7 or Windows Server 2008, use Runas at the command line to start a browser, or download and install the ShellRunas utility from Microsoft.

Additional information

Impersonation and delegation with distributed installations
If your Web server, ArcGIS Server server object manager (SOM), and server object container (SOC) are installed on different computers, you may encounter an issue with delegation when using this sample. For instance, assume the user is on computer A and connects to the Web application on computer B. The application on B impersonates the end user, which means the application takes on the identity of the user. The application then connects to the ArcGIS Server service (SOM or SOC) on machine C, but because of security restrictions, machine B is not allowed to use the remote user's identity when connecting to other machines. Machine B cannot use the correct credentials when connecting to machine C. Consequently, the application fails. This failure occurs if the authentication method on the Web application is set to Integrated Windows or Digest authentication. If the authentication method is Basic, the connection is successful because the server has access to the user's password. Although it is possible to configure delegation on the servers, this configuration is not supported because of the nature of the DCOM connection made to the SOM or SOC machine.


Common_SecurityPassThrough_CSharp\SecurityPassThrough_Forms_CSharp\Default.aspx User interface for the Web application.
Common_SecurityPassThrough_CSharp\SecurityPassThrough_Forms_CSharp\Default.aspx.cs
(view code)
 Code behind the user interface.
Common_SecurityPassThrough_CSharp\SecurityPassThrough_Forms_CSharp\Login.aspx User interface for the login page.
Common_SecurityPassThrough_CSharp\SecurityPassThrough_Forms_CSharp\Login.aspx.cs
(view code)
 Code behind the login page.
Common_SecurityPassThrough_CSharp\SecurityPassThrough_Win_CSharp\Default.aspx User interface for the Web application.
Common_SecurityPassThrough_CSharp\SecurityPassThrough_Win_CSharp\Default.aspx.cs
(view code)
 Code behind the user interface.
Common_SecurityPassThrough_CSharp\SecurityPassThrough_WinInternet_CSharp\Default.aspx User interface for the Web application.
Common_SecurityPassThrough_CSharp\SecurityPassThrough_WinInternet_CSharp\Default.aspx.cs
(view code)
 Code behind the user interface.
Download the C# files
Common_SecurityPassThrough_VBNet\SecurityPassThrough_Forms_VBNet\Default.aspx User interface for the Web application.
Common_SecurityPassThrough_VBNet\SecurityPassThrough_Forms_VBNet\Default.aspx.vb
(view code)
 Code behind the user interface.
Common_SecurityPassThrough_VBNet\SecurityPassThrough_Forms_VBNet\Login.aspx User interface for the login page.
Common_SecurityPassThrough_VBNet\SecurityPassThrough_Forms_VBNet\Login.aspx.vb
(view code)
 Code behind the login page.
Common_SecurityPassThrough_VBNet\SecurityPassThrough_Win_VBNet\Default.aspx User interface for the Web application.
Common_SecurityPassThrough_VBNet\SecurityPassThrough_Win_VBNet\Default.aspx.vb
(view code)
 Code behind the user interface.
Common_SecurityPassThrough_VBNet\SecurityPassThrough_WinInternet_VBNet\Default.aspx User interface for the Web application.
Common_SecurityPassThrough_VBNet\SecurityPassThrough_WinInternet_VBNet\Default.aspx.vb
(view code)
 Code behind the user interface.
Download the VB.NET files

Download the files for all languages

See Also:

Internet security overview
Microsoft ShellRunas utility