Your SlideShare is downloading. ×
Building Secure Systems with ArcGIS Server
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Building Secure Systems with ArcGIS Server

4,002
views

Published on

Slides from my 2010 ESRI Developer Summit presentation on Building Secure Systems with ArcGIS Server. Discusses the MARC application and discusses vulnerabilities with long-life tokens

Slides from my 2010 ESRI Developer Summit presentation on Building Secure Systems with ArcGIS Server. Discusses the MARC application and discusses vulnerabilities with long-life tokens

Published in: Technology

0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,002
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Building Secure Apps Dave Bouwman http://www.flickr.com/photos/heraklit/169566548
  • 2. NOT Server Configuration 101
  • 3. Emergency Response workflow application multi-service “mash-up” ESRI JS API + Dojo ArcGIS Server 9.3 REST
  • 4. Report!
  • 5. Human Impacts http://www.flickr.com/photos/pedrosimoes7/393217457
  • 6. Material Impacts http://www.flickr.com/photos/kenneth_hynek/3844780152
  • 7. Wx Events
  • 8. Real-Time Wx
  • 9. Plume Modeling
  • 10. Ad-Hoc Incidents
  • 11. Data Catalog
  • 12. Standard Layers Incident Layers Local or Remote AGS Local or Remote AGS Tiled or Dynamic Dynamic Bitmap or Geometry Geometry Public or Secured Public or Secured All configured via admin tools.
  • 13. Security:
  • 14. Secrets
  • 15. Place Server Here
  • 16. Identity Access
  • 17. LOGIN: dave PASSWORD: ******
  • 18. Get Config JS Starter Kit Config.json IIS
  • 19. Identity Matters
  • 20. Get Config JS Starter Kit* Config ASP.NET MVC
  • 21. Locking up ArcGIS Server
  • 22. A AD B AD CAD Multi-Agency
  • 23. Windows Authentication AGS IIS AD
  • 24. HTTP Basic/Digest dave ******* AGS IIS AD
  • 25. Token-based Authentication Credentials AGS Token Request + Token Response Store
  • 26. HTTP is stateless Zen of Tokens Credentials Credentials Credentials Credentials Credentials Credentials Credentials Credentials
  • 27. Zen of Tokens dave ******* = long risk high life
  • 28. Zen of Tokens dave ******* T + Expiration + stuff*
  • 29. “HTTP Referer”
  • 30. Get Page Html Get Config Config + Token Request + Token Response WARNING! ----------DO NOT DO THIS! ------- WARNING !
  • 31. Zen of Tokens T = dave *******
  • 32. HTTP is stateless Zen of Tokens Token Token Token Token Token Token Token Token
  • 33. Spoofing Referer Headers 101 1) Setup a simple JSAPI Page 2) Configure it to force all requests through a proxy 3) Get the PHP Proxy for ArcGIS Server 4) Change two lines
  • 34. proxy.php $serverUrls = array( array( 'url' => 'http://server.arcgisonline.com/ArcGIS/rest/services/', 'matchAll' => true, 'token' => ''), array( 'url' => 'http://maps.mysite.com/ArcGIS/rest/services', 'matchAll' => true, 'token' => 'someBigUGLYlongStringThatIsYourTOKENYo') );
  • 35. proxy.php $options = array( CURLOPT_URL => $targetUrl, CURLOPT_HEADER => false, CURLOPT_HTTPHEADER => array( 'Content-Type: ' . $_SERVER['CONTENT_TYPE'], 'Referer: ' . ‘http://mysite.com/maps.html’), CURLOPT_RETURNTRANSFER => true );
  • 36. Zen of Tokens Exposed tokens MUST quickly! expire
  • 37. Hiding Tokens behind a Proxy
  • 38. PROXY Credentials AGS Request Token Response Request + Token Response Credentials
  • 39. Out of the Box Get Token From Config File Add Token to URI Proxy Logic Create WebRequest Return output stream <!-- serverUrl options: url = location of the ArcGIS Server, either specific URL or stem matchAll = true to forward any request beginning with the url Not Implemented! token = (optional) token to include for secured service dynamicToken = if true, gets token dynamically with username and password stored in web.config file's appSettings section. -->
  • 40. PROXY++ Credentials AGS Request Token Response Request + Token Response Credentials
  • 41. EMSAM Check Authentication (cookies) Proxy Logic Check Server is “known” (db) Check if server is secured (db) If YES Get credentials (config) Get Token (1 second expiry) Append Token to URI Create WebRequest Return Output stream
  • 42. PROXY++ Credentials AGS Request Token Response Request + Token Response Credentials
  • 43. https://
  • 44. PROXY E Request D D Response E
  • 45. KC AGS KC AGS HTTPS KC AGS ArcGIS Online PROXY E Request D D Response E
  • 46. End user does not know AGS credentials Check List No Exposed Tokens (spoofing) User Short Term Tokens (one request) Limited AGS Security Accounts All client transactions across HTTPS Access to remote, secured AGS over HTTPS All “Easily” Configured
  • 47. Secure!
  • 48. % 90 increase
  • 49. Everything is a tradeoff. http://www.flickr.com/photos/ericmcgregor/103895441
  • 50. Think like a hacker.
  • 51. https://
  • 52. Questions?
  • 53. It’s not secure until it’s secure.
  • 54. Credentials Token PROXY Credentials Token Credentials Token
  • 55. Remote AGS Service Harvesting
  • 56. Remote AGS PROXY E Request D D Response E
  • 57. HTTP 404: Resource Not Found
  • 58. The best laid plans… http://www.flickr.com/photos/ericmcgregor/103895441
  • 59. http://attcv-agsms.esri.com/ArcGIS/rest/services/CoverageMap/MapServer/export? token=dnLqp8eAGIGdr7IZN0vSPYAqjCVMCG8P9faDPgDucR5OHgxBbBdJjqqLvjnk9B6p
  • 60. http://www.wireless.att.com/coverageviewer/js/com/esri/app/esriConfig.js
  • 61. Referer Header
  • 62. ArcGIS Server
  • 63. GIS Application Request Response ArcGIS Server Request Response
  • 64. Geo-Enabled Web App… Request ArcGIS Server Response Request Web App Server Response
  • 65. Default: Open
  • 66. Dude… I’s tryin to be cool here - where are tokens??
  • 67. Locking the Door
  • 68. What’s the secret?
  • 69. http://www.flickr.com/photos/nige_mar/4322149444
  • 70. Locking it up.
  • 71. Windows Authentication HTTP Basic/Digest Token-based Authentication
  • 72. Request Response
  • 73. Credentials Token Request + Token Response
  • 74. Get Page Html Get Config.js Config + Token Request + Token Response

×