Common Security PassThrough

Purpose
This sample demonstrates how to pass the browser user's identity to the map service used in the Web application. ArcGIS Server Manager (Manager) allows the creation of secure Web applications that require a login and secure geographic information system (GIS) services that require user credentials. The identity for the Web application is typically set separately from the identity for the GIS service used in the application. Usually, the identity for the GIS service is set at design time and is fixed for all users. This sample, however, passes the end user's identity to the map service used in the application. If the end user is permitted for the map service, the map draws normally. If the user has not been granted permission, no map draws. Instead, a message displays noting that the user does not have access to the service.
This sample contains three Web applications for each language. Each application uses a different type of connection to the server, has a different location for user accounts, and has a different approach to logins. You can install any one or all of the following applications (the <language> variable can be CSharp or VBNet):
  • SecurityPassThrough_Forms_<language>—Uses an ArcGIS for Server Internet connection to the map service. Users of this application are stored in a Microsoft Structured Query Language (SQL) Server database or a custom location based on a custom .NET provider. Users log in to the application from a login form on a Web page (login.aspx). This approach can be used in applications made available over the Internet or on internal networks. This application stores the user's login information from the login page in the application's session. When the main page (default.aspx) loads, the application applies the login information to the identity for the map resource.
  • SecurityPassThrough_Win_<language>—Uses an ArcGIS for Server local connection to the map service. Users of this application have Windows accounts on the local Web server or on the domain to which the server belongs. Users must also be members of the agsusers group on the server to view the map service. Users log in through a pop-up login prompt or (in some cases) are automatically logged in. This approach is normally used for Web applications on internal networks.



    This application uses impersonation to set the identity of the application. This identity is set in the Global.asax file, so that impersonation is applied to all cases where a local connection to the GIS server is used. A local connection is made in the Default.aspx page and the MapHandler, which serves map images to clients.



    The Global.asax Application_PreRequestHandlerExecute method performs impersonation for both cases. Impersonation is undone in the Application_EndRequest method, an important step for security reasons. Impersonation is done dynamically, rather than set in web.config, to improve security when using impersonation.
  • Common_SecurityPassThrough_WinInternet_<language>—Uses an ArcGIS for Server Internet connection to the map service. Users of this application have Windows accounts on the local Web server or on the domain to which the server belongs. To view the map service, users must also be members of a role that has been permitted for the service in Manager. Users log in through a pop-up login prompt or (in some cases) are automatically logged in. This approach is typically used for Web applications on internal networks and can be used as of version 9.3.1.



    This application uses impersonation to set the identity of the application. To show a different pattern, the impersonation is done in the ImpersonationModule.cs HttpModule. This module can easily be reused in other applications by adding it and the reference in the web.config, under the &lt;modules&gt; section. The Web application makes an Internet (Web service) connection to the GIS service. The identity value is removed from the MapResourceItem; instead, the Application Developer Framework (ADF) uses the current thread identity, which is the impersonated user's identity, to connect to the service.
The SecurityPassThrough_Forms_<language> and SecurityPassThrough_WinInternet_<language> applications require that security be enabled for services on the ArcGIS for Server system. SecurityPassThrough_Forms_<language> requires that the location for users and roles be set to SQL Server or a custom provider. SecurityPassThrough_WinInternet_<language> requires that the users and roles be set to Windows users and groups. Because they require different user and role stores, SecurityPassThrough_Forms_<language> and SecurityPassThrough_WinInternet_<language> cannot be run on the same system without reconfiguring the user and role store location. For more information on configuring security for services, see Internet security overview.

How to use

If the sample has associated data, you will find that the sample's zip file includes a "data" folder alongside the language folders. However, you will need to update the sample to point to the location of the data once you have extracted all the files.

At design time
  1. Verify that the Web ADF for the .NET Framework is installed and functioning properly. For information on installing and configuring the Web ADF, consult the installation guide.
  2. To use the SecurityPassThrough_Forms_<language> sample, use Manager to configure security. Set the user location to either SQL Server or a custom provider. Configure a service with permissions for roles so that a user in the system can access the service, while another user is not permitted to use the service. For more information, see the topic, "Internet security overview" in the ArcGIS for Server Help.
  3. To use the SecurityPassThrough_WinInternet_<language> sample, use Manager to configure security to Windows users and groups. Configure permissions for roles so that a user in the system can access the service, while another user is not permitted to use the service.
  4. In Windows Explorer, navigate to <ArcGIS Developer Kit install location>\Samples\ServerNET\Common_SecurityPassThrough.
  5. Open the folder of the language you are going to use (that is, CSharp or VBNet) and copy the Common_SecurityPassThrough_<language> folder to c:\inetpub\wwwroot. The <language> variable can be CSharp or VBNet.
  6. Open the IIS Manager from Control Panel, Administrative Tools, Internet Information Services (IIS) Manager, or Internet Information Services.
  7. In the console tree view on the left, navigate to Local Computer, Web Sites, Default Web Site. Expand Default Web Site to show the folders and applications in IIS, and set the Web site as an application in IIS Manager.
  8. Based on your operating system (OS), follow Step 9 or 10 for each of the sample applications (SecurityPassThrough_Forms_<language>, SecurityPassThrough_Win_<language>, and SecurityPassThrough_WinInternet_<language>) extracted from the Zip file.
  9. If your OS is Windows XP, Server 2000, or Server 2003, right-click the sample application folder (SecurityPassThrough_Forms_<language>, SecurityPassThrough_Win_<language>), or SecurityPassThrough_WinInternet_<language>) and click Properties. The Properties dialog box appears. Click the Create button in the Application Settings section, then click OK to close the Properties dialog box. Repeat for the other application folders if you extracted multiple samples.
  10. If your OS is Windows Vista, Windows 7, or Windows Server 2008, right-click the sample application folder (SecurityPassThrough_Forms_<language>, SecurityPassThrough_Win_<language>), or SecurityPassThrough_WinInternet_<language>) and click Convert to Application. The Add Application dialog box appears. Click OK. Repeat this step for the other application folders if you extracted multiple samples.
  11. To use the SecurityPassThrough_Win_<language> or SecurityPassThrough_WinInternet_<language> application, set the authentication method in IIS Manager by following the steps in the "Set authentication (Windows XP, Server 2000, or Server2003)" section or in the "Set authentication (Windows Vista, Windows 7, or Windows Server 2008) section (depending on your OS). If you select the Integrated Windows (or Windows) authentication option, users who access the application with Internet Explorer on a local network are automatically logged in without a login prompt. See the ArcGIS for Server Help for information on authentication methods, as well as the "Additional information" section in this sample.
  12. Start Visual Studio 2010.
  13. To use the SecurityPassThrough_Forms_<language> sample application, see the following "Use SecurityPassThrough_Forms_<language>" section.
  14. To use the SecurityPassThrough_Win_<language> sample application, see the "Use SecurityPassThrough_Win_<language>" section.
  15. To use the SecurityPassThrough_WinInternet_<language> sample application, see the "Use SecurityPassThrough_WinInternet_<language>" section.

Set authentication (Windows XP, Server 2000, or Server2003)
  1. Right-click the SecurityPassThrough_Win_<language> or SecurityPassThrough_WinInternet_<language> application, and click Properties. The properties dialog box appears.
  2. Click the Directory Security tab, and click the Edit button in the Anonymous access and authentication control area. The Authentication Methods dialog box appears.
  3. Clear the Anonymous access check box, select one of the methods under Authenticated access, then click OK twice to close both dialog boxes.

Set authentication (Windows Vista, Windows 7, or Windows Server 2008)
  1. Click the SecurityPassThrough_Win_<language> or SecurityPassThrough_WinInternet_<language> application, and double-click the Authentication item on the right side of IIS Manager. The Authentication panel appears.
  2. Right-click Anonymous Authentication and click Disable.
  3. Enable at least one of the Basic, Digest, or Windows authentication options.

Use SecurityPassThrough_Forms_<language>
  1. Open the Common_SecurityPassThrough_<language><vs_version> solution (for example, Common_SecurityPassThrough_CSharp2010.sln) located in c:\inetpub\wwwroot\Common_SecurityPassThrough_<language>.
  2. In the Solution Explorer, expand the SecurityPassThrough_Forms_<language> Web site, right-click Default.aspx, and select Set As Start Page.
  3. Open the Default.aspx page in Design view, open the properties window for the MapResourceManager control, and click the ellipsis next to the ResourceItems property. The ResourceItem Collection Editor dialog box appears.
  4. Add or change the MapResourceItem to an ArcGIS for Server map service available on your site using an ArcGIS for Server Internet connection to the map service. This application will not function correctly with a local connection.
  5. Open the web.config file.
  6. In Visual Studio, click File, click Open, click File, and open the c:\inetpub\wwwroot\ArcGIS\Security\web.config file.
  7. Copy and paste the <roleManager> and <membership> sections from the web.config file in the Security folder to the same location in the web.config file in the current application, and replace any existing sections of the same name. Copy the whole section, including closing tags (for example, </roleManager>).
  8. Copy the <connectionStrings> section if present. If you configured a custom provider for ArcGIS for Server security, copy any custom settings, such as those in the <appSettings> section.
  9. Save the project.
  10. Click the Debug drop-down menu and click Start Debugging.
  11. Run the application by following the steps in the "Run SecurityPassThrough_Forms_<language>" section.

Run SecurityPassThrough_Forms_<language>
  1. Browse to the viewer uniform resource locator (URL), for example, http://localhost/Common_SecurityPassThrough_CSharp/SecurityPassThrough_Forms_CSharp). The login.aspx page appears.
  2. Enter a login for a user who is on the ArcGIS server but who is not a member of a role permitted for the service. The user is logged in and the Default.aspx page appears; however, no map or TOC displays, and a note appears indicating that the user is not permitted for the service.
  3. Click Log Out. The application returns to the login page.
  4. Enter a login for a user who is in a role that is permitted for the service. The Default.aspx page appears, including the map and TOC. This confirms that the end user's identity was used to determine access to the map service.

Use SecurityPassThrough_Win_<language>
  1. Open the Common_SecurityPassThrough_<language><vs_version> solution (for example, Common_SecurityPassThrough_CSharp2010.sln) located in c:\inetpub\wwwroot\Common_SecurityPassThrough_<language>.
  2. In the Solution Explorer, right-click Default.aspx, and select Set As Start Page.
  3. Open the Default.aspx page in design view, open the properties window for the MapResourceManager control, and click the ellipsis next to the ResourceItems property. The ResourceItem Collection Editor dialog box appears.
  4. Add or change the MapResourceItem to an ArcGIS for Server map service available on your site using an ArcGIS for Server local connection to the map service. This application will not function correctly with an ArcGIS for Server Internet connection. Do not add an ArcGIS identity or otherwise set the identity of the application. The application passes the browser user's identity to the map service.
  5. Save the project.
  6. Click the Debug drop-down menu and click Start Debugging.
  7. Run the application by following the steps in the "Run SecurityPassThrough_Win_<language>" section.

Run SecurityPassThrough_Win_<language>
  1. Browse to the viewer URL (for example, http://localhost/Common_SecurityPassThrough_CSharp/SecurityPassThrough_Win_CSharp).
  2. If you are using Internet Explorer and are on the local network of the server, you are automatically logged into the site; otherwise, log in at the pop-up command prompt.
  3. If your account is the agsusers group on the server, the map and TOC display. If not permitted, a message indicating that the service might not be accessible displays. (The connection can also fail due to the service being down or network problems.)
  4. To see the opposite result from what you saw in the previous step, close and reopen a browser as a different user who is or is not in the agsusers group on the server. If you are using Internet Explorer, start the browser as a different user with the Runas command. In Windows XP or Server 2003, right-click a shortcut, click Runas, and add another user's login. On Windows Vista, Windows 7, or Windows Server 2008, use Runas at the command line to start a browser, or download and install the ShellRunas utility from Microsoft.
  5. If no map draws and no error message displays, ensure that you are running the application through IIS (for example, http://localhost/Common_SecurityPassThrough_CSharp/SecurityPassThrough_Win_CSharp), rather than through the Visual Studio built-in server (a port number appears in the URL when using the built-in server). The events in Global.asax do not occur properly with the built-in server, so the impersonation for the MapHandler is not performed correctly.

Use SecurityPassThrough_WinInternet_<language>
  1. Open the Common_SecurityPassThrough_<language><vs_version> solution (for example, Common_SecurityPassThrough_CSharp2010.sln) located in c:\inetpub\wwwroot\Common_SecurityPassThrough_<language>.
  2. In the Solution Explorer, right-click Default.aspx, and select Set As Start Page.
  3. Open the Default.aspx page in design view, open the properties window for the MapResourceManager control, and click the ellipsis next to the ResourceItems property. The ResourceItem Collection Editor dialog box appears.
  4. Add or change the MapResourceItem to an ArcGIS for Server map service available on your site using an ArcGIS for Server Internet connection to the map service. This application will not function correctly with an ArcGIS for Server local connection.
  5. Click the ellipsis button on the Identity line to add a login for a user who has permissions on a secured service, click the ellipsis button on the Resource line to select a secured service, then click OK to close the dialog box.
  6. Click the MapResourceManager control to select it, then switch to the source view of the default.aspx page by clicking the Source tab at the bottom of the Visual Studio window. The MapResourceManager settings are highlighted.
  7. Find the Definition string for the map resource you previously added, locate the Identity portion, and remove the encrypted string so that the Identity portion reads as, Identity="".
  8. Save the project and all changes.
  9. Click the Debug drop-down menu and click Start Debugging.
  10. Run the application by following the steps in the "Run SecurityPassThrough_WinInternet_<language>" section.

Run SecurityPassThrough_WinInternet_<language>
  1. Browse to the viewer URL (for example, http://localhost/Common_SecurityPassThrough_CSharp/SecurityPassThrough_WinInternet_CSharp).
  2. If you are using Internet Explorer and are on the local network of the server, you are automatically logged into the site; otherwise, log in at the pop-up command prompt.
  3. If your account is a group that was permitted for the service in Manager, the map and TOC display. If not permitted, a message indicating that the service might not be accessible displays. (The connection can also fail due to the service being down or network problems.)
  4. To see the opposite result from what you saw in the previous step, close and reopen a browser as a different user who is or is not in the permitted group for the service. If you are using Internet Explorer, start the browser as a different user with the Runas command. In Windows XP or Server 2003, right-click a shortcut, click Runas, and add another user's login. On Windows Vista, Windows 7, or Windows Server 2008, use Runas at the command line to start a browser, or download and install the ShellRunas utility from Microsoft.

Additional information

  • Impersonation and delegation with distributed installations—If your Web server, (ArcGIS for Server) server object manager (SOM) and server object container (SOC) are installed on different computers, you might encounter an issue with delegation when using this sample. For example, assume the user is on computer A and connects to the Web application on computer B. The application on computer B impersonates the end user, which means the application takes on the identity of the user. The application then connects to the ArcGIS for Server service (SOM or SOC) on computer C, but because of security restrictions, computer B is not allowed to use the remote user's identity when connecting to other computers. Computer B cannot use the correct credentials when connecting to computer C. Consequently, the application fails. This failure occurs if the authentication method on the Web application is set to Integrated Windows or Digest authentication. If the authentication method is Basic, the connection is successful because the server has access to the user's password. Although it is possible to configure delegation on the servers, this configuration is not supported because of the nature of the Distributed Component Object Model (DCOM) connection made to the SOM or SOC machine.


Common_SecurityPassThrough_CSharp\SecurityPassThrough_Forms_CSharp\Default.aspx User interface (UI) for the Web application.
Common_SecurityPassThrough_CSharp\SecurityPassThrough_Forms_CSharp\Default.aspx.cs
(view code)
 Code behind the UI.
Common_SecurityPassThrough_CSharp\SecurityPassThrough_Forms_CSharp\Login.aspx UI for the login page.
Common_SecurityPassThrough_CSharp\SecurityPassThrough_Forms_CSharp\Login.aspx.cs
(view code)
 Code behind the login page.
Common_SecurityPassThrough_CSharp\SecurityPassThrough_Win_CSharp\Default.aspx UI for the Web application.
Common_SecurityPassThrough_CSharp\SecurityPassThrough_Win_CSharp\Default.aspx.cs
(view code)
 Code behind the UI.
Common_SecurityPassThrough_CSharp\SecurityPassThrough_WinInternet_CSharp\Default.aspx UI for the Web application.
Common_SecurityPassThrough_CSharp\SecurityPassThrough_WinInternet_CSharp\Default.aspx.cs
(view code)
 Code behind the UI.
Download the C# files
Common_SecurityPassThrough_VBNet\SecurityPassThrough_Forms_VBNet\Default.aspx User interface (UI) for the Web application.
Common_SecurityPassThrough_VBNet\SecurityPassThrough_Forms_VBNet\Default.aspx.vb
(view code)
 Code behind the UI.
Common_SecurityPassThrough_VBNet\SecurityPassThrough_Forms_VBNet\Login.aspx UI for the login page.
Common_SecurityPassThrough_VBNet\SecurityPassThrough_Forms_VBNet\Login.aspx.vb
(view code)
 Code behind the login page.
Common_SecurityPassThrough_VBNet\SecurityPassThrough_Win_VBNet\Default.aspx UI for the Web application.
Common_SecurityPassThrough_VBNet\SecurityPassThrough_Win_VBNet\Default.aspx.vb
(view code)
 Code behind the UI.
Common_SecurityPassThrough_VBNet\SecurityPassThrough_WinInternet_VBNet\Default.aspx UI for the Web application.
Common_SecurityPassThrough_VBNet\SecurityPassThrough_WinInternet_VBNet\Default.aspx.vb
(view code)
 Code behind the UI.
Download the VB.NET files

Download the files for all languages

See Also:

Internet security overview
ShellRunas v1.01