ArcGIS Help 10.1 - Securing the ArcGIS Spatial Data Server service administration URL in Apache Tomcat

You can alter the server.xml, tomcat-users.xml, and web.xml Apache Tomcat files to allow specific user's to administer and view services through the ArcGIS Spatial Data Server URLs.

Tip:

Additionally, you should always use Secure Sockets Layer (SSL) or connections to your sites in production environments. See the Apache Tomcat documentation for information on configuring this.

Be aware that the entire catalog of services running within a spatial data server site cannot be filtered based on users and roles; they all will be visible to anyone who browses the catalog.

If you configure Tomcat authentication for your site, a dialog box is presented to users the first time they browse to an administrative URL of a secure spatial data server instance or secure service URL, and they must provide a user name and password to gain access. Once the correct credentials are provided, users can browse to all the URLs for the duration of the web session.

There are different authentication methods you can set for Tomcat, which you set with the auth-method tags in the web.xml file. See Tomcat's documentation for information on how to implement these various methods.

Altering server.xml

Add a Realm nested component inside the Engine, Host, or Context container in the $CATALINA_HOME/conf/server.xml file to enable a security realm for your Tomcat instance.

In this example, the Tomcat default realm is enabled using a MemoryRealm:

<Realm className="org.apache.catalina.realm.MemoryRealm" />

MemoryRealm should only be used for development web applications. There are other Realm implementations you can use for production web applications. See the Tomcat documentation on configuring a realm for more information.

Altering tomcat-users.xml

Add entries to declare roles and the users to participate in those roles.

In the following example, two roles and three users are defined, and users are assigned to the roles:

<role rolename="tomcat"/>
 <role rolename="role1"/>
 <user username="tomcatu" password="TCyoosir" roles="tomcat"/>
 <user username="superu" password="2$3cr3t" roles="tomcat,role1"/>
 <user username="user1" password="Y00zR0n3" roles="role1"/>

Altering web.xml

The ArcGIS 10.1 Spatial Data Server for Java is installed as a web application archive (war)—arcgis.war—which is a Java archive (.jar) file used to distribute a collection of JavaServer Pages, Java Servlets, Java classes, XML files, static HTML web pages, and other files that together constitute a web application.

The web.xml file is part of the arcgis.war file. To alter it, you must do the following: extract the war file, edit web.xml, then repackage the war file. Install the JDK so you can extract and repackage the war file.

Steps:

Make a backup copy of the arcgis.war file.
Store the backup copy in a directory outside $CATALINA_HOME.
Extract (uncompress) the arcgis.war file.
Add a security-constraint element and subelements to the web.xml file.
In the following example, users who browse to the /admin/* url of the spatial data server will be prompted for a user name and password. The user must provide the credentials for either of the two users added to the tomcat role in the tomcat-users.xml file. For this example, when making an administer or publish connection from ArcGIS for Desktop to the spatial data server, the user name and password for either the tomcatu or superu users must be provided.
```
<security-constraint>
   <display-name>Restricted GET and POST To tomcat users of ADMIN</display-name>
   <web-resource-collection>
      <web-resource-name>Restricted Access - Get Only</web-resource-name>
      <url-pattern>/admin/*</url-pattern>
      <http-method>GET</http-method>
	<http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
      <role-name>tomcat</role-name>
   </auth-constraint>
   <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
   </user-data-constraint>
</security-constraint>
 <login-config>
  <auth-method>DIGEST</auth-method>
  <realm-name>default</realm-name>
</login-config>
```
The DIGEST authentication method was specified with the <auth-method> nested components in the preceding example. Other possible authentication methods that can be specified with this subelement are BASIC or FORM, but these methods send passwords in plain text.
Save and close the web.xml file.
Repackage the arcgis.war file.
The file must be named arcgis.war.

Restarting Tomcat

After altering all the xml files, do the following:

Steps:

Stop the Tomcat server.
Delete the Tomcat server cached files.
These can be found in $CATALINA_HOME/work or $CATALINA_HOME/temp. You can delete all directories and files under these directories.
Copy the altered arcgis.war file into the directory $CATALINA_HOME/webapps/.
Restart Tomcat.

7/19/2012