Secure services

ArcGIS for SharePoint provides two sample proxy pages that you may use to handle communication with the ArcGIS Server services you use in the Map Web Part. A proxy page consists of server-side code that runs on your Web server. The browser sends the request to your proxy, and your proxy in turn forwards the request to the ArcGIS Server service. The first proxy page, SharePointProxy.ashx, is intended for use while configuring and testing the ArcGIS for SharePoint Map Web Part. The second proxy page, Proxy.ashx, is intended for deployed SharePoint sites that incorporate the Map Web Part as it is more secure than the SharePointProxy.ashx.

SharePointProxy.ashx

Use the SharePointProxy.ashx as a starting point when configuring and testing the ArcGIS for SharePoint Map Web Part as it allows tokens to be shared by all web parts from the same IIS web server. The SharePoint.ashx only sends the web server name (http://<hostname>) as the referrer in the forwarded http request, which is less secure than the Proxy.ashx. To configure tokens, modify the SharePoint.config file that is included in the SharePointProxy.zip file. When retrieving tokens from the Services Directory (for example, http://<servername>/ArcGIS/tokens/gettoken.html), be sure to use http://hostname as the HTTP Referrer. In the SharePointProxy.config file, paste the entire token without leading or trailing white spaces. As only the hostname is used, the token and the proxy page will work both in ArcGIS for SharePoint development and production applications, provided that the applications are accessed through the hostname in the URL instead of localhost or the fully-qualified domain name.

Proxy.ashx

Use the Proxy.ashx for ArcGIS for SharePoint Map Web Parts that are a part of SharePoint sites in production. The Proxy.ashx passes along the HTTP referrer from the applications to the server and is hence more secure. Typically, you will need one proxy page per site or page if you are using tokens because tokens are application-specific.The scope for which you choose to define tokens (site, page, etc) will depend on the level at which you wish to authenticate. If all Map Web Parts within an entire site consume secure ArcGIS Server services in the same way, then it may make sense to define one proxy for the site. If different Map Web Parts within a site differ in how they access secure services, then you should setup a proxy for each page or set of pages that use the same permissions.To configure tokens, modify the Proxy.config file that is included in the Proxy.zip file. When retrieving a token, use the URL to the SharePoint site or pagein the deployed SharePoint instance instead of just http://<hostname>. Then, in the Proxy.config file, paste the entire token without leading or trailing white spaces.

Download and Configure the Proxy Page

In this step, you'll learn how to download and install the proxy page on your Web server. The proxy page runs on your local web server, not on an ESRI server or on the ArcGIS Server computer (unless your web server also hosts the ArcGIS Server instance).

Before proceeding, ensure that you have ASP.NET 2.0 or higher installed and registered with Internet Information Services (IIS). If ASP.NET is not configured with IIS, follow the instructions for the version of IIS you are running in the ASP.NET and IIS Configuration help topic on MSDN.

  1. Download SharePointProxy.zip or Proxy.zip, then unzip and save the contents to a folder on your web server's root directory. In IIS, the default location for the Web server's root folder is c:\inetpub\wwwroot. If you plan on using the proxy for multiple sites you can create a folder in the web root directory called proxy and place the contents there.
  2. Open IIS Manager. This Microsoft Knowledge Base article provides instructions for opening IIS Manager depending on the version of IIS you are using.
  3. Next, create a Web Application for the proxy folder; these steps differ depending on the version of IIS you are using.

    For IIS 5 or 6 use the following steps:

    1. In the Default Web Site, right-click the proxy directory and click Properties.
    2. On the Directory tab, in the Application Settings section click the Create button then click OK.
      Create IIS Application

    For IIS 7 use the following steps. For more information, see Create a Website (IIS 7):

    1. In the Default Web Site, right-click the proxy directory and click Add Application.
      Create IIS7 Application
    2. Specify the Alias and Physical Path in the Add Application dialog and click OK.
      Add Application (IIS 7)
  4. If you will be using the proxy page for services with token-based authentication, obtain a token for the service. If your application uses multiple ArcGIS Server systems that require tokens, obtain a token for each server. For more information on obtaining a token, see Secure Services in the ArcGIS for Silverlight documentation. For information on the URL to specify for the Http Referrer parameter, see the previous section.
  5. Open the configuration proxy page (proxy.config) in a text or XML editor.
  6. For each ArcGIS Server that will use the proxy page, add a <serverUrl> entry to the configuration XML file within the <serverUrls> section. See the proxy configuration file for examples. The serverUrl element can have these attributes:
    • url: the URL of the ArcGIS Server machine or the service. If multiple services in the same server are used in the application, then the url can point to the services root. If only a single service on the server is used, then the url can be set to the full service URL.
    • matchAll: whether to use the token for all requests with this URL stem. If this attribute is true and the url attribute is set to the services root, then the entry can be used for multiple services in the application.
    • token: the authentication token obtained in step 1. Optional—used only for services secured with token-based authentication.

    If multiple services on the same server are used in the application, the URL may point to the service root (for example, http://www.example.com/arcgis/rest/services), and the matchAll parameter set to true. Multiple server entries may be added if more than one ArcGIS Server computer is used in the application.

    The mustMatch attribute in the containing element controls whether only specified sites may be proxied. This attribute should generally be set to true. If set to false, then the proxy page will forward any request to any server. This could potentially allow your proxy page to be used to send requests to third-party servers without your permission.

  7. Save the configuration file.

Add Secured Services to the Map Web Part

Once you have configured your proxy pages, you may access secured services within the Map Web Part.

  1. In Edit Mode, click the Browse button to display the Browse panel.
  2. On the Browse panel, click the Access secured services icon. The checkbox to Add Secured Services and the Configure Proxy link appear.
    Access secured services
  3. Click the Configure Proxy link and in the Configure Secured Services dialog that appears, enter the url to the desired proxy page and click OK. Note that the proxy will be shared by all layers in the application that use a secured service.
    Enter Proxy Url
  4. In the Browse panel, check the box to Add Secured Services. All of the layers you add will now use the defined proxy.

NoteNote:

  • At Beta 2, geoprocessing secured services are not supported.
  • At Beta 2, secured base maps are not supported.
  • Add a layer using secured service only if it requires it. Currently, if Add secured services is checked, all layers are added with ProxyUrl.

8/12/2011