The document discusses building secure applications using ArcGIS Server, focusing on authentication methods such as Windows authentication and token-based authentication. It outlines the importance of managing tokens, configuring proxies for secured service access, and emphasizes the need to treat security with caution. Various configuration tips, risks involved, and resources for reference are provided throughout the text.

1. Building Secure Apps
Dave Bouwman
http://www.flickr.com/photos/heraklit/169566548

3. NOT Server
Configuration 101

4. Emergency Response
workflow application
multi-service “mash-up”
ESRI JS API + Dojo
ArcGIS Server 9.3 REST

5. Report!

6. Human Impacts
http://www.flickr.com/photos/pedrosimoes7/393217457

7. Material Impacts
http://www.flickr.com/photos/kenneth_hynek/3844780152

8. Wx Events

9. Real-Time Wx

11. Plume Modeling

13. Ad-Hoc Incidents

15. Data Catalog

16. Standard Layers Incident Layers
Local or Remote AGS Local or Remote AGS
Tiled or Dynamic Dynamic
Bitmap or Geometry Geometry
Public or Secured Public or Secured
All configured via admin tools.

23. Security:

24. Secrets

25. Place
Server Here

26. Identity Access

28. LOGIN: dave
PASSWORD: ******

31. Get Config
JS Starter Kit Config.json
IIS

32. Identity
Matters

33. Get Config
JS Starter Kit* Config
ASP.NET MVC

34. Locking up ArcGIS Server

35. A
AD
B
AD
CAD
Multi-Agency

36. Windows Authentication
AGS
IIS
AD

37. HTTP Basic/Digest
dave
*******
AGS
IIS
AD

38. Token-based Authentication
Credentials
AGS
Token
Request + Token
Response
Store

40. HTTP is stateless
Zen of Tokens
Credentials
Credentials
Credentials
Credentials
Credentials
Credentials
Credentials
Credentials

41. Zen of Tokens
dave
******* = long risk
high life

42. Zen of Tokens dave
*******
T + Expiration
+ stuff*

46. “HTTP Referer”

47. Get Page
Html
Get Config
Config + Token
Request + Token
Response
WARNING! ----------DO NOT DO THIS! ------- WARNING !

51. Zen of Tokens
T =
dave
*******

52. HTTP is stateless
Zen of Tokens
Token
Token
Token
Token
Token
Token
Token
Token

53. Spoofing Referer Headers 101
1) Setup a simple JSAPI Page
2) Configure it to force all requests through a proxy
3) Get the PHP Proxy for ArcGIS Server
4) Change two lines

54. proxy.php
$serverUrls = array(
array( 'url' => 'http://server.arcgisonline.com/ArcGIS/rest/services/',
'matchAll' => true,
'token' => ''),
array( 'url' => 'http://maps.mysite.com/ArcGIS/rest/services',
'matchAll' => true,
'token' => 'someBigUGLYlongStringThatIsYourTOKENYo')
);

55. proxy.php
$options = array(
CURLOPT_URL => $targetUrl,
CURLOPT_HEADER => false,
CURLOPT_HTTPHEADER => array(
'Content-Type: ' . $_SERVER['CONTENT_TYPE'],
'Referer: ' . ‘http://mysite.com/maps.html’),
CURLOPT_RETURNTRANSFER => true );

56. Zen of Tokens
Exposed
tokens
MUST quickly!
expire

57. Hiding Tokens behind a Proxy

58. PROXY
Credentials
AGS
Request Token
Response
Request + Token
Response
Credentials

59. Out of the Box Get Token From Config File
Add Token to URI
Proxy Logic Create WebRequest
Return output stream
<!-- serverUrl options:
url = location of the ArcGIS Server, either specific URL or stem
matchAll = true to forward any request beginning with the url
Not Implemented! token = (optional) token to include for secured service
dynamicToken = if true, gets token dynamically with username and
password stored in web.config file's appSettings section.
-->

60. PROXY++
Credentials
AGS
Request Token
Response
Request + Token
Response
Credentials

61. EMSAM
Check Authentication (cookies)
Proxy Logic Check Server is “known” (db)
Check if server is secured (db)
If YES Get credentials (config)
Get Token (1 second expiry)
Append Token to URI
Create WebRequest
Return Output stream

62. PROXY++
Credentials
AGS
Request Token
Response
Request + Token
Response
Credentials

63. https://

64. PROXY
E Request D
D Response E

65. KC AGS
KC AGS HTTPS
KC AGS
ArcGIS Online
PROXY
E Request D
D Response E

66. End user does not know AGS credentials
Check List No Exposed Tokens (spoofing)
User Short Term Tokens (one request)
Limited AGS Security Accounts
All client transactions across HTTPS
Access to remote, secured AGS over HTTPS
All “Easily” Configured

67. Secure!

68. %
90
increase

70. Everything is
a tradeoff.
http://www.flickr.com/photos/ericmcgregor/103895441

71. Think like a hacker.

72. https://

73. Questions?

74. It’s not secure
until it’s secure.

75. Credentials
Token
PROXY
Credentials
Token
Credentials
Token

76. Remote
AGS
Service Harvesting

77. Remote
AGS
PROXY
E Request D
D Response E

78. HTTP 404:
Resource Not
Found

79. The best laid plans…
http://www.flickr.com/photos/ericmcgregor/103895441

82. http://attcv-agsms.esri.com/ArcGIS/rest/services/CoverageMap/MapServer/export?
token=dnLqp8eAGIGdr7IZN0vSPYAqjCVMCG8P9faDPgDucR5OHgxBbBdJjqqLvjnk9B6p

83. http://www.wireless.att.com/coverageviewer/js/com/esri/app/esriConfig.js

89. Referer Header

92. ArcGIS Server

93. GIS Application
Request
Response ArcGIS
Server
Request
Response

94. Geo-Enabled Web App…
Request ArcGIS
Server
Response
Request Web App
Server
Response

95. Default: Open

96. Dude… I’s tryin to be cool
here - where are tokens??

97. Locking the Door

98. What’s the secret?

99. http://www.flickr.com/photos/nige_mar/4322149444

100. Locking it up.

101. Windows Authentication
HTTP Basic/Digest
Token-based Authentication

103. Request
Response

104. Credentials
Token
Request + Token
Response

105. Get Page
Html
Get Config.js
Config + Token
Request + Token
Response