• Save
Building Secure Systems with ArcGIS Server
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Building Secure Systems with ArcGIS Server

on

  • 5,290 views

Slides from my 2010 ESRI Developer Summit presentation on Building Secure Systems with ArcGIS Server. Discusses the MARC application and discusses vulnerabilities with long-life tokens

Slides from my 2010 ESRI Developer Summit presentation on Building Secure Systems with ArcGIS Server. Discusses the MARC application and discusses vulnerabilities with long-life tokens

Statistics

Views

Total Views
5,290
Views on SlideShare
5,030
Embed Views
260

Actions

Likes
5
Downloads
0
Comments
0

5 Embeds 260

http://blog.davebouwman.com 219
http://www.slideshare.net 30
http://static.slidesharecdn.com 5
http://www.planetgs.com 5
url_unknown 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Building Secure Systems with ArcGIS Server Presentation Transcript

  • 1. Building Secure Apps Dave Bouwman http://www.flickr.com/photos/heraklit/169566548
  • 2. NOT Server Configuration 101
  • 3. Emergency Response workflow application multi-service “mash-up” ESRI JS API + Dojo ArcGIS Server 9.3 REST
  • 4. Report!
  • 5. Human Impacts http://www.flickr.com/photos/pedrosimoes7/393217457
  • 6. Material Impacts http://www.flickr.com/photos/kenneth_hynek/3844780152
  • 7. Wx Events
  • 8. Real-Time Wx
  • 9. Plume Modeling
  • 10. Ad-Hoc Incidents
  • 11. Data Catalog
  • 12. Standard Layers Incident Layers Local or Remote AGS Local or Remote AGS Tiled or Dynamic Dynamic Bitmap or Geometry Geometry Public or Secured Public or Secured All configured via admin tools.
  • 13. Security:
  • 14. Secrets
  • 15. Place Server Here
  • 16. Identity Access
  • 17. LOGIN: dave PASSWORD: ******
  • 18. Get Config JS Starter Kit Config.json IIS
  • 19. Identity Matters
  • 20. Get Config JS Starter Kit* Config ASP.NET MVC
  • 21. Locking up ArcGIS Server
  • 22. A AD B AD CAD Multi-Agency
  • 23. Windows Authentication AGS IIS AD
  • 24. HTTP Basic/Digest dave ******* AGS IIS AD
  • 25. Token-based Authentication Credentials AGS Token Request + Token Response Store
  • 26. HTTP is stateless Zen of Tokens Credentials Credentials Credentials Credentials Credentials Credentials Credentials Credentials
  • 27. Zen of Tokens dave ******* = long risk high life
  • 28. Zen of Tokens dave ******* T + Expiration + stuff*
  • 29. “HTTP Referer”
  • 30. Get Page Html Get Config Config + Token Request + Token Response WARNING! ----------DO NOT DO THIS! ------- WARNING !
  • 31. Zen of Tokens T = dave *******
  • 32. HTTP is stateless Zen of Tokens Token Token Token Token Token Token Token Token
  • 33. Spoofing Referer Headers 101 1) Setup a simple JSAPI Page 2) Configure it to force all requests through a proxy 3) Get the PHP Proxy for ArcGIS Server 4) Change two lines
  • 34. proxy.php $serverUrls = array( array( 'url' => 'http://server.arcgisonline.com/ArcGIS/rest/services/', 'matchAll' => true, 'token' => ''), array( 'url' => 'http://maps.mysite.com/ArcGIS/rest/services', 'matchAll' => true, 'token' => 'someBigUGLYlongStringThatIsYourTOKENYo') );
  • 35. proxy.php $options = array( CURLOPT_URL => $targetUrl, CURLOPT_HEADER => false, CURLOPT_HTTPHEADER => array( 'Content-Type: ' . $_SERVER['CONTENT_TYPE'], 'Referer: ' . ‘http://mysite.com/maps.html’), CURLOPT_RETURNTRANSFER => true );
  • 36. Zen of Tokens Exposed tokens MUST quickly! expire
  • 37. Hiding Tokens behind a Proxy
  • 38. PROXY Credentials AGS Request Token Response Request + Token Response Credentials
  • 39. Out of the Box Get Token From Config File Add Token to URI Proxy Logic Create WebRequest Return output stream <!-- serverUrl options: url = location of the ArcGIS Server, either specific URL or stem matchAll = true to forward any request beginning with the url Not Implemented! token = (optional) token to include for secured service dynamicToken = if true, gets token dynamically with username and password stored in web.config file's appSettings section. -->
  • 40. PROXY++ Credentials AGS Request Token Response Request + Token Response Credentials
  • 41. EMSAM Check Authentication (cookies) Proxy Logic Check Server is “known” (db) Check if server is secured (db) If YES Get credentials (config) Get Token (1 second expiry) Append Token to URI Create WebRequest Return Output stream
  • 42. PROXY++ Credentials AGS Request Token Response Request + Token Response Credentials
  • 43. https://
  • 44. PROXY E Request D D Response E
  • 45. KC AGS KC AGS HTTPS KC AGS ArcGIS Online PROXY E Request D D Response E
  • 46. End user does not know AGS credentials Check List No Exposed Tokens (spoofing) User Short Term Tokens (one request) Limited AGS Security Accounts All client transactions across HTTPS Access to remote, secured AGS over HTTPS All “Easily” Configured
  • 47. Secure!
  • 48. % 90 increase
  • 49. Everything is a tradeoff. http://www.flickr.com/photos/ericmcgregor/103895441
  • 50. Think like a hacker.
  • 51. https://
  • 52. Questions?
  • 53. It’s not secure until it’s secure.
  • 54. Credentials Token PROXY Credentials Token Credentials Token
  • 55. Remote AGS Service Harvesting
  • 56. Remote AGS PROXY E Request D D Response E
  • 57. HTTP 404: Resource Not Found
  • 58. The best laid plans… http://www.flickr.com/photos/ericmcgregor/103895441
  • 59. http://attcv-agsms.esri.com/ArcGIS/rest/services/CoverageMap/MapServer/export? token=dnLqp8eAGIGdr7IZN0vSPYAqjCVMCG8P9faDPgDucR5OHgxBbBdJjqqLvjnk9B6p
  • 60. http://www.wireless.att.com/coverageviewer/js/com/esri/app/esriConfig.js
  • 61. Referer Header
  • 62. ArcGIS Server
  • 63. GIS Application Request Response ArcGIS Server Request Response
  • 64. Geo-Enabled Web App… Request ArcGIS Server Response Request Web App Server Response
  • 65. Default: Open
  • 66. Dude… I’s tryin to be cool here - where are tokens??
  • 67. Locking the Door
  • 68. What’s the secret?
  • 69. http://www.flickr.com/photos/nige_mar/4322149444
  • 70. Locking it up.
  • 71. Windows Authentication HTTP Basic/Digest Token-based Authentication
  • 72. Request Response
  • 73. Credentials Token Request + Token Response
  • 74. Get Page Html Get Config.js Config + Token Request + Token Response