Building Secure Apps

                                                  Dave Bouwman
http://www.flickr.com/photos/heraklit...
NOT Server
Configuration 101
Emergency Response
workflow application
multi-service “mash-up”
ESRI JS API + Dojo
ArcGIS Server 9.3 REST
Report!
Human Impacts
http://www.flickr.com/photos/pedrosimoes7/393217457
Material Impacts
http://www.flickr.com/photos/kenneth_hynek/3844780152
Wx Events
Real-Time Wx
Plume Modeling
Ad-Hoc Incidents
Data Catalog
Standard Layers             Incident Layers

Local or Remote AGS         Local or Remote AGS
Tiled or Dynamic            D...
Security:
Secrets
Place
Server Here
Identity   Access
LOGIN:   dave
PASSWORD:   ******
Get Config


JS Starter Kit    Config.json
                                IIS
Identity
Matters
Get Config


JS Starter Kit*      Config
                               ASP.NET MVC
Locking up ArcGIS Server
A
AD
     B
     AD
               CAD


          Multi-Agency
Windows Authentication

                               AGS




                         IIS
                              ...
HTTP Basic/Digest
             dave
             *******
                             AGS




                       IIS
 ...
Token-based Authentication
                Credentials




                                AGS
                   Token

 ...
HTTP is stateless
Zen of Tokens
                                Credentials
                                Credentials
  ...
Zen of Tokens
         dave
         *******   = long risk
                     high life
Zen of Tokens    dave
                 *******


           T    + Expiration
                + stuff*
“HTTP Referer”
Get Page
                        Html
                     Get Config
                    Config + Token
                 ...
Zen of Tokens

           T =
                 dave
                 *******
HTTP is stateless
Zen of Tokens
                                    Token
                                    Token
      ...
Spoofing Referer Headers 101
   1) Setup a simple JSAPI Page
   2) Configure it to force all requests through a proxy
   3...
proxy.php
$serverUrls = array(
         array( 'url' => 'http://server.arcgisonline.com/ArcGIS/rest/services/',
          ...
proxy.php
   $options = array(
            CURLOPT_URL => $targetUrl,
            CURLOPT_HEADER => false,
            CUR...
Zen of Tokens
                Exposed
                   tokens
                MUST quickly!
                 expire
Hiding Tokens behind a Proxy
PROXY
                    Credentials




                                     AGS
Request                 Token
Response
...
Out of the Box                     Get Token From Config File
                                   Add Token to URI
Proxy Lo...
PROXY++
                      Credentials




                                       AGS
Request                   Token
R...
EMSAM
              Check Authentication (cookies)
Proxy Logic   Check Server is “known” (db)
              Check if serve...
PROXY++
                      Credentials




                                       AGS
Request                   Token
R...
https://
PROXY
E   Request    D
D   Response   E
KC AGS
 KC AGS                       HTTPS
   KC AGS

ArcGIS Online




                                          PROXY
  ...
End user does not know AGS credentials
Check List   No Exposed Tokens (spoofing)
             User Short Term Tokens (one ...
Secure!
%
90
 increase
Everything is


                                                      a tradeoff.

http://www.flickr.com/photos/ericmcgreg...
Think like a hacker.
https://
Questions?
It’s not secure
                  until it’s secure.
Credentials
           Token




PROXY
        Credentials
           Token


        Credentials
           Token
Remote
      AGS




Service Harvesting
Remote
 AGS




                            PROXY
         E   Request    D
         D   Response   E
HTTP 404:
Resource Not
Found
The best laid plans…
http://www.flickr.com/photos/ericmcgregor/103895441
http://attcv-agsms.esri.com/ArcGIS/rest/services/CoverageMap/MapServer/export?
    token=dnLqp8eAGIGdr7IZN0vSPYAqjCVMCG8P9...
http://www.wireless.att.com/coverageviewer/js/com/esri/app/esriConfig.js
Referer Header
ArcGIS Server
GIS Application
              Request

              Response   ArcGIS
                         Server
              Reque...
Geo-Enabled Web App…
          Request      ArcGIS
                       Server
          Response


          Request   ...
Default: Open
Dude… I’s tryin to be cool
here - where are tokens??
Locking the Door
What’s the secret?
http://www.flickr.com/photos/nige_mar/4322149444
Locking it up.
Windows Authentication
        HTTP Basic/Digest
Token-based Authentication
Request
Response
Credentials
     Token

Request + Token
   Response
Get Page
     Html
 Get Config.js
 Config + Token
Request + Token
   Response
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Building Secure Systems with ArcGIS Server
Upcoming SlideShare
Loading in...5
×

Building Secure Systems with ArcGIS Server

4,072

Published on

Slides from my 2010 ESRI Developer Summit presentation on Building Secure Systems with ArcGIS Server. Discusses the MARC application and discusses vulnerabilities with long-life tokens

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,072
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Building Secure Systems with ArcGIS Server

  1. 1. Building Secure Apps Dave Bouwman http://www.flickr.com/photos/heraklit/169566548
  2. 2. NOT Server Configuration 101
  3. 3. Emergency Response workflow application multi-service “mash-up” ESRI JS API + Dojo ArcGIS Server 9.3 REST
  4. 4. Report!
  5. 5. Human Impacts http://www.flickr.com/photos/pedrosimoes7/393217457
  6. 6. Material Impacts http://www.flickr.com/photos/kenneth_hynek/3844780152
  7. 7. Wx Events
  8. 8. Real-Time Wx
  9. 9. Plume Modeling
  10. 10. Ad-Hoc Incidents
  11. 11. Data Catalog
  12. 12. Standard Layers Incident Layers Local or Remote AGS Local or Remote AGS Tiled or Dynamic Dynamic Bitmap or Geometry Geometry Public or Secured Public or Secured All configured via admin tools.
  13. 13. Security:
  14. 14. Secrets
  15. 15. Place Server Here
  16. 16. Identity Access
  17. 17. LOGIN: dave PASSWORD: ******
  18. 18. Get Config JS Starter Kit Config.json IIS
  19. 19. Identity Matters
  20. 20. Get Config JS Starter Kit* Config ASP.NET MVC
  21. 21. Locking up ArcGIS Server
  22. 22. A AD B AD CAD Multi-Agency
  23. 23. Windows Authentication AGS IIS AD
  24. 24. HTTP Basic/Digest dave ******* AGS IIS AD
  25. 25. Token-based Authentication Credentials AGS Token Request + Token Response Store
  26. 26. HTTP is stateless Zen of Tokens Credentials Credentials Credentials Credentials Credentials Credentials Credentials Credentials
  27. 27. Zen of Tokens dave ******* = long risk high life
  28. 28. Zen of Tokens dave ******* T + Expiration + stuff*
  29. 29. “HTTP Referer”
  30. 30. Get Page Html Get Config Config + Token Request + Token Response WARNING! ----------DO NOT DO THIS! ------- WARNING !
  31. 31. Zen of Tokens T = dave *******
  32. 32. HTTP is stateless Zen of Tokens Token Token Token Token Token Token Token Token
  33. 33. Spoofing Referer Headers 101 1) Setup a simple JSAPI Page 2) Configure it to force all requests through a proxy 3) Get the PHP Proxy for ArcGIS Server 4) Change two lines
  34. 34. proxy.php $serverUrls = array( array( 'url' => 'http://server.arcgisonline.com/ArcGIS/rest/services/', 'matchAll' => true, 'token' => ''), array( 'url' => 'http://maps.mysite.com/ArcGIS/rest/services', 'matchAll' => true, 'token' => 'someBigUGLYlongStringThatIsYourTOKENYo') );
  35. 35. proxy.php $options = array( CURLOPT_URL => $targetUrl, CURLOPT_HEADER => false, CURLOPT_HTTPHEADER => array( 'Content-Type: ' . $_SERVER['CONTENT_TYPE'], 'Referer: ' . ‘http://mysite.com/maps.html’), CURLOPT_RETURNTRANSFER => true );
  36. 36. Zen of Tokens Exposed tokens MUST quickly! expire
  37. 37. Hiding Tokens behind a Proxy
  38. 38. PROXY Credentials AGS Request Token Response Request + Token Response Credentials
  39. 39. Out of the Box Get Token From Config File Add Token to URI Proxy Logic Create WebRequest Return output stream <!-- serverUrl options: url = location of the ArcGIS Server, either specific URL or stem matchAll = true to forward any request beginning with the url Not Implemented! token = (optional) token to include for secured service dynamicToken = if true, gets token dynamically with username and password stored in web.config file's appSettings section. -->
  40. 40. PROXY++ Credentials AGS Request Token Response Request + Token Response Credentials
  41. 41. EMSAM Check Authentication (cookies) Proxy Logic Check Server is “known” (db) Check if server is secured (db) If YES Get credentials (config) Get Token (1 second expiry) Append Token to URI Create WebRequest Return Output stream
  42. 42. PROXY++ Credentials AGS Request Token Response Request + Token Response Credentials
  43. 43. https://
  44. 44. PROXY E Request D D Response E
  45. 45. KC AGS KC AGS HTTPS KC AGS ArcGIS Online PROXY E Request D D Response E
  46. 46. End user does not know AGS credentials Check List No Exposed Tokens (spoofing) User Short Term Tokens (one request) Limited AGS Security Accounts All client transactions across HTTPS Access to remote, secured AGS over HTTPS All “Easily” Configured
  47. 47. Secure!
  48. 48. % 90 increase
  49. 49. Everything is a tradeoff. http://www.flickr.com/photos/ericmcgregor/103895441
  50. 50. Think like a hacker.
  51. 51. https://
  52. 52. Questions?
  53. 53. It’s not secure until it’s secure.
  54. 54. Credentials Token PROXY Credentials Token Credentials Token
  55. 55. Remote AGS Service Harvesting
  56. 56. Remote AGS PROXY E Request D D Response E
  57. 57. HTTP 404: Resource Not Found
  58. 58. The best laid plans… http://www.flickr.com/photos/ericmcgregor/103895441
  59. 59. http://attcv-agsms.esri.com/ArcGIS/rest/services/CoverageMap/MapServer/export? token=dnLqp8eAGIGdr7IZN0vSPYAqjCVMCG8P9faDPgDucR5OHgxBbBdJjqqLvjnk9B6p
  60. 60. http://www.wireless.att.com/coverageviewer/js/com/esri/app/esriConfig.js
  61. 61. Referer Header
  62. 62. ArcGIS Server
  63. 63. GIS Application Request Response ArcGIS Server Request Response
  64. 64. Geo-Enabled Web App… Request ArcGIS Server Response Request Web App Server Response
  65. 65. Default: Open
  66. 66. Dude… I’s tryin to be cool here - where are tokens??
  67. 67. Locking the Door
  68. 68. What’s the secret?
  69. 69. http://www.flickr.com/photos/nige_mar/4322149444
  70. 70. Locking it up.
  71. 71. Windows Authentication HTTP Basic/Digest Token-based Authentication
  72. 72. Request Response
  73. 73. Credentials Token Request + Token Response
  74. 74. Get Page Html Get Config.js Config + Token Request + Token Response

×