Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building Secure Systems with ArcGIS Server

5,019 views

Published on

Slides from my 2010 ESRI Developer Summit presentation on Building Secure Systems with ArcGIS Server. Discusses the MARC application and discusses vulnerabilities with long-life tokens

Published in: Technology
  • Dating for everyone is here: ♥♥♥ http://bit.ly/39pMlLF ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❶❶❶ http://bit.ly/39pMlLF ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Building Secure Systems with ArcGIS Server

  1. 1. Building Secure Apps Dave Bouwman http://www.flickr.com/photos/heraklit/169566548
  2. 2. NOT Server Configuration 101
  3. 3. Emergency Response workflow application multi-service “mash-up” ESRI JS API + Dojo ArcGIS Server 9.3 REST
  4. 4. Report!
  5. 5. Human Impacts http://www.flickr.com/photos/pedrosimoes7/393217457
  6. 6. Material Impacts http://www.flickr.com/photos/kenneth_hynek/3844780152
  7. 7. Wx Events
  8. 8. Real-Time Wx
  9. 9. Plume Modeling
  10. 10. Ad-Hoc Incidents
  11. 11. Data Catalog
  12. 12. Standard Layers Incident Layers Local or Remote AGS Local or Remote AGS Tiled or Dynamic Dynamic Bitmap or Geometry Geometry Public or Secured Public or Secured All configured via admin tools.
  13. 13. Security:
  14. 14. Secrets
  15. 15. Place Server Here
  16. 16. Identity Access
  17. 17. LOGIN: dave PASSWORD: ******
  18. 18. Get Config JS Starter Kit Config.json IIS
  19. 19. Identity Matters
  20. 20. Get Config JS Starter Kit* Config ASP.NET MVC
  21. 21. Locking up ArcGIS Server
  22. 22. A AD B AD CAD Multi-Agency
  23. 23. Windows Authentication AGS IIS AD
  24. 24. HTTP Basic/Digest dave ******* AGS IIS AD
  25. 25. Token-based Authentication Credentials AGS Token Request + Token Response Store
  26. 26. HTTP is stateless Zen of Tokens Credentials Credentials Credentials Credentials Credentials Credentials Credentials Credentials
  27. 27. Zen of Tokens dave ******* = long risk high life
  28. 28. Zen of Tokens dave ******* T + Expiration + stuff*
  29. 29. “HTTP Referer”
  30. 30. Get Page Html Get Config Config + Token Request + Token Response WARNING! ----------DO NOT DO THIS! ------- WARNING !
  31. 31. Zen of Tokens T = dave *******
  32. 32. HTTP is stateless Zen of Tokens Token Token Token Token Token Token Token Token
  33. 33. Spoofing Referer Headers 101 1) Setup a simple JSAPI Page 2) Configure it to force all requests through a proxy 3) Get the PHP Proxy for ArcGIS Server 4) Change two lines
  34. 34. proxy.php $serverUrls = array( array( 'url' => 'http://server.arcgisonline.com/ArcGIS/rest/services/', 'matchAll' => true, 'token' => ''), array( 'url' => 'http://maps.mysite.com/ArcGIS/rest/services', 'matchAll' => true, 'token' => 'someBigUGLYlongStringThatIsYourTOKENYo') );
  35. 35. proxy.php $options = array( CURLOPT_URL => $targetUrl, CURLOPT_HEADER => false, CURLOPT_HTTPHEADER => array( 'Content-Type: ' . $_SERVER['CONTENT_TYPE'], 'Referer: ' . ‘http://mysite.com/maps.html’), CURLOPT_RETURNTRANSFER => true );
  36. 36. Zen of Tokens Exposed tokens MUST quickly! expire
  37. 37. Hiding Tokens behind a Proxy
  38. 38. PROXY Credentials AGS Request Token Response Request + Token Response Credentials
  39. 39. Out of the Box Get Token From Config File Add Token to URI Proxy Logic Create WebRequest Return output stream <!-- serverUrl options: url = location of the ArcGIS Server, either specific URL or stem matchAll = true to forward any request beginning with the url Not Implemented! token = (optional) token to include for secured service dynamicToken = if true, gets token dynamically with username and password stored in web.config file's appSettings section. -->
  40. 40. PROXY++ Credentials AGS Request Token Response Request + Token Response Credentials
  41. 41. EMSAM Check Authentication (cookies) Proxy Logic Check Server is “known” (db) Check if server is secured (db) If YES Get credentials (config) Get Token (1 second expiry) Append Token to URI Create WebRequest Return Output stream
  42. 42. PROXY++ Credentials AGS Request Token Response Request + Token Response Credentials
  43. 43. https://
  44. 44. PROXY E Request D D Response E
  45. 45. KC AGS KC AGS HTTPS KC AGS ArcGIS Online PROXY E Request D D Response E
  46. 46. End user does not know AGS credentials Check List No Exposed Tokens (spoofing) User Short Term Tokens (one request) Limited AGS Security Accounts All client transactions across HTTPS Access to remote, secured AGS over HTTPS All “Easily” Configured
  47. 47. Secure!
  48. 48. % 90 increase
  49. 49. Everything is a tradeoff. http://www.flickr.com/photos/ericmcgregor/103895441
  50. 50. Think like a hacker.
  51. 51. https://
  52. 52. Questions?
  53. 53. It’s not secure until it’s secure.
  54. 54. Credentials Token PROXY Credentials Token Credentials Token
  55. 55. Remote AGS Service Harvesting
  56. 56. Remote AGS PROXY E Request D D Response E
  57. 57. HTTP 404: Resource Not Found
  58. 58. The best laid plans… http://www.flickr.com/photos/ericmcgregor/103895441
  59. 59. http://attcv-agsms.esri.com/ArcGIS/rest/services/CoverageMap/MapServer/export? token=dnLqp8eAGIGdr7IZN0vSPYAqjCVMCG8P9faDPgDucR5OHgxBbBdJjqqLvjnk9B6p
  60. 60. http://www.wireless.att.com/coverageviewer/js/com/esri/app/esriConfig.js
  61. 61. Referer Header
  62. 62. ArcGIS Server
  63. 63. GIS Application Request Response ArcGIS Server Request Response
  64. 64. Geo-Enabled Web App… Request ArcGIS Server Response Request Web App Server Response
  65. 65. Default: Open
  66. 66. Dude… I’s tryin to be cool here - where are tokens??
  67. 67. Locking the Door
  68. 68. What’s the secret?
  69. 69. http://www.flickr.com/photos/nige_mar/4322149444
  70. 70. Locking it up.
  71. 71. Windows Authentication HTTP Basic/Digest Token-based Authentication
  72. 72. Request Response
  73. 73. Credentials Token Request + Token Response
  74. 74. Get Page Html Get Config.js Config + Token Request + Token Response

×