securing arcgis server for the microsoft .net framework ... · esri. uc 2007 tech sessions 2...

UC 2007 Tech SessionsUC 2007 Tech Sessions 11

Securing ArcGIS Server Securing ArcGIS Server for the Microsoft .NET Frameworkfor the Microsoft .NET Framework

Bryan BakerBryan BakerKevin DoshierKevin Doshier

ESRIESRI


Securing ArcGIS Server Securing ArcGIS Server for the Microsoft .NET Frameworkfor the Microsoft .NET Framework

Bryan BakerBryan BakerKevin DoshierKevin Doshier

ESRIESRI


AgendaAgenda

•• Security OverviewSecurity Overview•• Security in IIS and ASP.NETSecurity in IIS and ASP.NET•• Securing ArcGIS Server servicesSecuring ArcGIS Server services•• Web application securityWeb application security•• Looking ahead to 9.3Looking ahead to 9.3


ArcGIS Server 9.2ArcGIS Server 9.2

•• Complete & Integrated serverComplete & Integrated server--based GISbased GIS•• OutOut--ofof--thethe--box applications and services box applications and services •• Tremendous developer opportunitiesTremendous developer opportunities

ArcGIS ServerArcGIS Server

Spatial DataSpatial DataManagementManagement

VisualizationVisualization(Mapping)(Mapping)

SpatialSpatialAnalysisAnalysis

Web MappingWeb MappingApplicationsApplications

ArcGISArcGISMobileMobile

ArcGISArcGISExplorerExplorer

ArcGISArcGISDesktopDesktop

JavaJava

.NET.NET


Security OverviewSecurity Overview

•• Security tasksSecurity tasks–– Physical securityPhysical security–– Operating system security Operating system security –– accounts, updates, viruses, spyware, accounts, updates, viruses, spyware,

etc.etc.–– Code securityCode security

•• SQL injection, crossSQL injection, cross--site scripting, command execution, etc.site scripting, command execution, etc.–– Network securityNetwork security

•• IntegrityIntegrity•• ConfidentialityConfidentiality

–– Access to services and applicationsAccess to services and applications•• Authentication and authorizationAuthentication and authorization

This sessionThis session



•• At ArcGIS Server 9.2, you configure security At ArcGIS Server 9.2, you configure security using standard ASP.NET optionsusing standard ASP.NET options–– ArcGIS Server 9.2 Security = ASP.NET 2.0 SecurityArcGIS Server 9.2 Security = ASP.NET 2.0 Security–– No specific security tools are built into 9.2No specific security tools are built into 9.2

•• ArcGIS Server 9.3 will have security ArcGIS Server 9.3 will have security management toolsmanagement tools–– But will still use ASP.NET securityBut will still use ASP.NET security



•• Demo: two secured Web applicationsDemo: two secured Web applications


Security in ASP.NETSecurity in ASP.NET

•• Access to web resources in ASP.NET is controlled by:Access to web resources in ASP.NET is controlled by:

1.1. Internet Information Server (IIS)Internet Information Server (IIS)–– IIS receives all requests from Web clientsIIS receives all requests from Web clients–– IIS performs some security checksIIS performs some security checks–– Some requests handled by IIS itselfSome requests handled by IIS itself

–– Images (.jpg, .Images (.jpg, .pngpng), HTML files (.), HTML files (.htmhtm), JavaScript files (.), JavaScript files (.jsjs), etc.), etc.–– Requests for ASP.NET resources (.Requests for ASP.NET resources (.aspxaspx, etc.) passed to ASP.NET, etc.) passed to ASP.NET

2.2. ASP.NETASP.NET–– Additional security checksAdditional security checks–– May include a login web page (Forms authentication)May include a login web page (Forms authentication)


IIS and ASP.NET securityIIS and ASP.NET security

•• Request must Request must pass several pass several checks before checks before access grantedaccess granted

–– Single failure Single failure causes request causes request to failto fail

http://arcgisserver/app1/default.aspxhttp://arcgisserver/app1/default.aspx

ArcGIS Web Server ArcGIS Web Server

AccessAccessgrantedgranted

UserUser

OKOK

ASP.NETASP.NETForms authentication OK?Forms authentication OK? FailFail

IP address permitted?IP address permitted?

User authenticated (or User authenticated (or anonymous access permitted)?anonymous access permitted)?

IISIIS

AccessAccessdenieddenied

OKOK

FailFail

FailFail

OKOK

File permissions OK?File permissions OK?OKOK

FailFail

11

22

•• You can control You can control access by one or access by one or more of these more of these methodsmethods

•• WeWe’’ll focus onll focus on1.1. Windows Windows

authenticationauthentication2.2. Forms Forms

authenticationauthentication


Securing ASP.NET Web applicationsSecuring ASP.NET Web applications

•• Two main optionsTwo main options–– Windows authenticationWindows authentication

•• IIS controls accessIIS controls access•• Users have Windows accountsUsers have Windows accounts•• Users see popup login form (usually)Users see popup login form (usually)•• Typically used on intranetsTypically used on intranets

–– Forms authenticationForms authentication•• ASP.NET controls accessASP.NET controls access•• Accounts usually in a database or fileAccounts usually in a database or file•• Users log in with a form on a web pageUsers log in with a form on a web page•• Used on Internet and intranetsUsed on Internet and intranets


Authentication vs. authorizationAuthentication vs. authorization

•• AuthenticationAuthentication–– Verifying who you areVerifying who you are–– Like obtaining your conference badgeLike obtaining your conference badge

•• AuthorizationAuthorization–– Determining what you can accessDetermining what you can access–– Like whether you can enter certain workshops or Like whether you can enter certain workshops or

exhibitsexhibits


Securing ArcGIS Server servicesSecuring ArcGIS Server services

•• Two ways to connect to ArcGIS Server servicesTwo ways to connect to ArcGIS Server services

1.1. Local connectionLocal connection–– Works only on intranetsWorks only on intranets–– Access to all server functionalityAccess to all server functionality

2.2. ““InternetInternet”” connection = Web service connectionconnection = Web service connection–– Works on intranets and over InternetWorks on intranets and over Internet–– Subset of capabilities of Local connectionSubset of capabilities of Local connection


ArcGIS local connectionsArcGIS local connections

•• Server Object Manager (SOM)Server Object Manager (SOM)–– Controls access to GIS serverControls access to GIS server

•• Connect to SOM using DCOMConnect to SOM using DCOM–– DCOM = Microsoft technology for distributed DCOM = Microsoft technology for distributed

COM componentsCOM components•• Uses TCP/IP but not HTTPUses TCP/IP but not HTTP•• Does not use Web server for connectionsDoes not use Web server for connections•• Uses a range of TCP portsUses a range of TCP ports

•• This was the only connection option at This was the only connection option at 9.19.1

Server Server Object Object

ManagerManager

GIS ServerGIS Server

Server Server ObjectObject

ContainerContainer

Client Client (ArcCatalog, etc.)(ArcCatalog, etc.)

DCOMDCOM


Securing local connections to ArcGIS ServerSecuring local connections to ArcGIS Server

•• DCOM access controlled by operating DCOM access controlled by operating systemsystem–– Uses Windows accountsUses Windows accounts

•• Connections allowed to two groupsConnections allowed to two groups–– agsusersagsusers –– members can use servicesmembers can use services–– agsadminagsadmin –– can use and administer servicescan use and administer services

•• To enable local connection to ArcGIS To enable local connection to ArcGIS Server:Server:–– Add userAdd user’’s account to s account to agsusersagsusers or agsadmin or agsadmin

groupgroup–– Desktop application must run as user in Desktop application must run as user in

agsusersagsusers/agsadmin/agsadmin•• ArcCatalog, ArcMap, ArcGIS ExplorerArcCatalog, ArcMap, ArcGIS Explorer•• Use Run asUse Run as…… if necessaryif necessary

–– Add connection to serverAdd connection to server


Demo:Demo:Securing Local ConnectionsSecuring Local Connections


Using a local connection in a Web applicationUsing a local connection in a Web application

•• Web applications may use local Web applications may use local connectionsconnections–– Editing applicationsEditing applications–– Custom ArcObjectsCustom ArcObjects--based applicationsbased applications

•• Web application must run as a member of Web application must run as a member of the the agsusersagsusers/agsadmin group/agsadmin group–– Web application Web application impersonatesimpersonates this userthis user–– UserUser’’s login encrypted in web.configs login encrypted in web.config

•• Enabling impersonationEnabling impersonation–– In ManagerIn Manager

•• Uses account of Manager user by defaultUses account of Manager user by default•• Change account if necessaryChange account if necessary

–– In Visual StudioIn Visual Studio•• Use Add ArcGIS Identity toolUse Add ArcGIS Identity tool

ManagerManager

Visual StudioVisual Studio


ArcGIS Web servicesArcGIS Web services

•• Enables connecting to GIS service as Enables connecting to GIS service as a standard Web service a standard Web service (SOAP)(SOAP)

–– Exposes subset of service functionalityExposes subset of service functionality•• Map service: extent, layer visibility, graphics, Map service: extent, layer visibility, graphics,

etc.etc.•• No symbology changes, dynamic layers, No symbology changes, dynamic layers,

editing, fineediting, fine--grained ArcObjectsgrained ArcObjects

•• ArcGIS Web servicesArcGIS Web services–– By default at By default at

http://<http://<myservermyserver>/>/arcgisarcgis/services/services–– Uses a local connection to ArcGIS Server Uses a local connection to ArcGIS Server

behind the scenesbehind the scenes•• Configured during postConfigured during post--installationinstallation•• Identity is stored in Identity is stored in services.configservices.config

ArcGIS ServerArcGIS Server

Server Server ObjectObject

ContainerContainer

Client Client ArcCatalog, etc.)ArcCatalog, etc.)

InternetInternet(HTTP)(HTTP)

DCOMDCOM

Server Server Object Object

ManagerManager

ArcGIS ServerArcGIS ServerWeb servicesWeb services


Securing ArcGIS Web servicesSecuring ArcGIS Web services

•• ArcGIS Web services are an ASP.NET applicationArcGIS Web services are an ASP.NET application–– Each service has its unique URLEach service has its unique URL

•• http://<http://<myservermyserver>/>/arcgisarcgis/services/</services/<myservicemyservice>/>/MapServerMapServer

•• Use standard approach for ASP.NET Use standard approach for ASP.NET securitysecurity–– Require authenticationRequire authentication

•• Disable anonymous access in IIS ManagerDisable anonymous access in IIS Manager•• Uses Windows authenticationUses Windows authentication

–– CanCan’’t have a form login for a Web servicet have a form login for a Web service–– Windows accounts in Windows accounts in agsusersagsusers/agsadmin/agsadmin

–– Authorize services or foldersAuthorize services or folders•• Use ASP.NET <location> tags in web.configUse ASP.NET <location> tags in web.config

•• ArcGIS Server HelpArcGIS Server Help–– http://webhelp.esri.com/arcgisserver/9.2/dotNet/http://webhelp.esri.com/arcgisserver/9.2/dotNet/

manager/administration/manager/administration/secure_web_svcs.htmsecure_web_svcs.htm

<location path="<location path="SecureServicesSecureServices">"><<system.websystem.web>><authorization><authorization><allow roles=<allow roles=““SecureUsersSecureUsers" />" /><deny users="*" /><deny users="*" />

</authorization></authorization></</system.websystem.web>>

</location></location>


Demo: Demo: Securing ArcGIS Web servicesSecuring ArcGIS Web services


Demo review: Securing ArcGIS Web servicesDemo review: Securing ArcGIS Web services

1.1. Edit web.config in Edit web.config in C:C:\\InetpubInetpub\\wwwrootwwwroot\\ArcGISArcGIS\\ServicesServices

–– Add <authorization> Add <authorization> element(selement(s))–– RootRoot--level access to all serviceslevel access to all services–– Folder or serviceFolder or service--level access via level access via

<location> element<location> element2.2. IIS ManagerIIS Manager

–– Deny anonymous users to /ArcGIS/ServicesDeny anonymous users to /ArcGIS/Services

•• ArcGIS Server HelpArcGIS Server Help–– http://webhelp.esri.com/arcgisserver/9.2/dotNet/http://webhelp.esri.com/arcgisserver/9.2/dotNet/

manager/administration/manager/administration/secure_web_svcs.htmsecure_web_svcs.htm

<location path="<location path="SecureServicesSecureServices">"><<system.websystem.web>>

<authorization><authorization><allow roles=<allow roles=““SecureUsersSecureUsers" />" /><deny users="*" /><deny users="*" />

</authorization></authorization></</system.websystem.web>>

</location></location>


Web application securityWeb application security

•• Windows vs. forms authenticationWindows vs. forms authentication•• Security features in ASP.NET 2.0+Security features in ASP.NET 2.0+•• Enabling functionality by user roleEnabling functionality by user role


ArcGIS Server 9.2: Software Development KitArcGIS Server 9.2: Software Development Kit

•• Build and deploy web & enterprise geospatial applications Build and deploy web & enterprise geospatial applications and servicesand services

•• Productivity boost with outProductivity boost with out--ofof--thethe--box IDE integrationbox IDE integration•• Software Development Kit (SDK) includes :Software Development Kit (SDK) includes :

–– .NET components.NET components•• Web ADFWeb ADF•• Mobile ADFMobile ADF

–– Java componentsJava components•• Web ADFWeb ADF•• Enterprise ADF Enterprise ADF

Software Development Kit (SDK)Software Development Kit (SDK)

.NET.NET JavaJavaMobileMobile

ArcGISArcGISMobileMobileWebMapWebMap

ApplicationsApplicationsBusinessBusiness

ApplicationsApplications

EnterpriseEnterpriseWebWeb WebWeb

Integration Environment


Securing ASP.NET Web applicationsSecuring ASP.NET Web applications

•• Two main optionsTwo main options–– Windows authenticationWindows authentication

•• IIS controls accessIIS controls access•• Users have Windows accountsUsers have Windows accounts•• Users see popup login form (usually)Users see popup login form (usually)•• Typically used on intranetsTypically used on intranets

–– Forms authenticationForms authentication•• ASP.NET controls accessASP.NET controls access•• Accounts usually in a database or fileAccounts usually in a database or file•• Users log in with a form on a web pageUsers log in with a form on a web page•• Used on Internet and intranetsUsed on Internet and intranets


Demo: Securing a Web application with Demo: Securing a Web application with Windows authenticationWindows authentication


Demo review: securing a web application with Demo review: securing a web application with Windows authenticationWindows authentication

1.1. Open IIS ManagerOpen IIS Manager2.2. Navigate to the web Navigate to the web

applicationapplication3.3. Use its Properties toUse its Properties to

–– Disable anonymous accessDisable anonymous access–– Enable at least one other Enable at least one other

methodmethod•• Integrated WindowsIntegrated Windows•• BasicBasic•• DigestDigest

4.4. Create Windows accounts if Create Windows accounts if necessarynecessary


Securing Web applications withSecuring Web applications withWindows authenticationWindows authentication

•• ProsPros–– Easy to set upEasy to set up–– Can work on all browsersCan work on all browsers–– Can take advantage of Windows accountsCan take advantage of Windows accounts–– Similar to login used with ArcIMS Servlet ConnectorSimilar to login used with ArcIMS Servlet Connector

•• ConsCons–– NonNon--customizable popcustomizable pop--up login boxup login box

•• UserUser--hostile login failure pagehostile login failure page–– More difficult fineMore difficult fine--tune accesstune access–– Must maintain accounts as Windows accountsMust maintain accounts as Windows accounts

•• Usually best for intranetsUsually best for intranets


Demo: Securing a web application with Demo: Securing a web application with forms authenticationforms authentication


Demo review: securing a Web application using Demo review: securing a Web application using forms authenticationforms authentication

1.1. Open website in Visual Open website in Visual Studio 2005Studio 2005

2.2. Open ASP.NET Open ASP.NET Configuration (Web Site Configuration (Web Site Admin Tool)Admin Tool)

–– Set access to Internet Set access to Internet (Forms)(Forms)

–– Add users/rolesAdd users/roles–– Add access rulesAdd access rules

3.3. Create login form in Visual Create login form in Visual StudioStudio

–– Create Create login.aspxlogin.aspx pagepage–– Add a login controlAdd a login control


Forms authentication with ASP.NET 2.0Forms authentication with ASP.NET 2.0

•• ProsPros–– Familiar login approach used in most websitesFamiliar login approach used in most websites–– Easiest option for formsEasiest option for forms--based loginbased login–– Can use SQL Server Express Can use SQL Server Express –– no extra costno extra cost–– Flexibility for access and rolesFlexibility for access and roles

•• ConsCons–– Requires creating Login pageRequires creating Login page

•• Can just use simple page with Login web controlCan just use simple page with Login web control–– Password sent in request over the networkPassword sent in request over the network

•• Use HTTPS (SSL), especially on the InternetUse HTTPS (SSL), especially on the Internet–– More difficult to administerMore difficult to administer

•• Web Site Administration Tool helpsWeb Site Administration Tool helps


More on Security in ASP.NET 2.0More on Security in ASP.NET 2.0

•• Securing data transmissionSecuring data transmission•• Authentication vs. authorizationAuthentication vs. authorization•• Login web controlsLogin web controls•• Membership and Authentication Membership and Authentication •• Roles and AuthorizationRoles and Authorization


Securing data and password transmissionSecuring data and password transmission

•• Problem: data and user credentials Problem: data and user credentials may be interceptedmay be intercepted–– Common login methods do not encrypt Common login methods do not encrypt

credentialscredentials•• Forms and Basic authentication transmit Forms and Basic authentication transmit

in clear textin clear text

•• Use HTTPS (SSL) to secure loginUse HTTPS (SSL) to secure login–– Acquire server certificate from a Acquire server certificate from a

certificate authority (CA) certificate authority (CA) –– Install server certificate into IISInstall server certificate into IIS–– Require SSL for page or resourceRequire SSL for page or resource

http://msdn2.microsoft.com/en-us/library/aa302411.aspx


ASP.NET authorizationASP.NET authorization

•• Web.config fileWeb.config file–– Control access to entire applicationControl access to entire application–– Control access by path within applicationControl access by path within application

•• ExamplesExamples–– /Admin subfolder for administrators only/Admin subfolder for administrators only–– styles.cssstyles.css file accessible to all so login page can use stylesfile accessible to all so login page can use styles

•• ProgrammaticProgrammatic–– Display or hide items within page based on userDisplay or hide items within page based on user–– ExampleExample

•• Basic website available to allBasic website available to all•• Logged in users see additional functionalityLogged in users see additional functionality•• Editor users can edit dataEditor users can edit data


Login Web ControlsLogin Web Controls

•• New web controls in ASP.NET 2.0New web controls in ASP.NET 2.0•• Easily handle login tasksEasily handle login tasks•• Controls:Controls:

–– LoginLogin –– standard login formstandard login form–– LoginView LoginView –– page display depends on login statuspage display depends on login status–– LoginStatusLoginStatus –– display login/logout link on any pagedisplay login/logout link on any page–– LoginNameLoginName –– display user namedisplay user name–– CreateUserWizardCreateUserWizard –– add user to databaseadd user to database–– ChangePasswordChangePassword–– PasswordRecoveryPasswordRecovery –– ee--mail password to usermail password to user


Membership and AuthenticationMembership and Authentication

•• New framework in ASP.NET 2.0New framework in ASP.NET 2.0•• Enables simpler Forms authenticationEnables simpler Forms authentication•• Web.config stores authentication Web.config stores authentication

optionsoptions–– Login page name, timeout, cookie use, Login page name, timeout, cookie use,

SSL, etc.SSL, etc.–– Can modify these settings in IIS Can modify these settings in IIS

Manager tooManager too•• Works automatically with new login Works automatically with new login

web controlsweb controls•• Access membership programmatically Access membership programmatically

tootoo

Setting Membership propertiesin IIS Manager


Providers for Membership DataProviders for Membership Data

•• Stores and manages data for membership/rolesStores and manages data for membership/roles–– Typically in a database, but could be XML file, Windows server, Typically in a database, but could be XML file, Windows server, ……

•• SQL Server Express is the defaultSQL Server Express is the default–– Stores data in App_Data folder within websiteStores data in App_Data folder within website

•• Each website stores separate dataEach website stores separate data•• Can copy data (MDF file) to another websiteCan copy data (MDF file) to another website

–– SQL Express must be running locally to useSQL Express must be running locally to use•• SQL Server may be used (7, 2000, 2005)SQL Server may be used (7, 2000, 2005)•• Active Directory also supportedActive Directory also supported•• Custom providers could be created or purchasedCustom providers could be created or purchased

–– Oracle, Oracle, MySQLMySQL, Access, etc., Access, etc.•• Can use multiple providers, even within a single websiteCan use multiple providers, even within a single website


Roles and AuthorizationRoles and Authorization

•• Users can have roles Users can have roles –– similar to similar to account groupsaccount groups

•• Allow access to pages and features by Allow access to pages and features by rolerole–– Web.config to set pageWeb.config to set page--level accesslevel access–– Use LoginView or code within a pageUse LoginView or code within a page–– Example: allow all users to view data, but Example: allow all users to view data, but

only logged in users may edit dataonly logged in users may edit data

•• Set up roles with Web Site Set up roles with Web Site Administration ToolAdministration Tool

•• Can also access roles Can also access roles programmaticallyprogrammatically


Securing functionality within a websiteSecuring functionality within a website

•• Access doesnAccess doesn’’t have to be all or nothingt have to be all or nothing•• You may want toYou may want to

–– allow anyone basic access, but more for logged in usersallow anyone basic access, but more for logged in users–– display some functionality only to specific usersdisplay some functionality only to specific users–– personalize the site based on userpersonalize the site based on user’’s role, preferences or saved s role, preferences or saved

settingssettings

•• ASP.NET provides ways to do thisASP.NET provides ways to do this–– May require programmingMay require programming

•• E.g., restricting access to fields in a layer based on user roleE.g., restricting access to fields in a layer based on user role


Demo:Demo:Enabling Functionality by User RolesEnabling Functionality by User Roles


Demo review: enabling Functionality by User Demo review: enabling Functionality by User Roles Roles

•• Add LoginView controlAdd LoginView control•• Add template to LoginViewAdd template to LoginView•• Add task to LoginView templateAdd task to LoginView template•• Add Add LoginStatusLoginStatus controlcontrol•• Modify properties of Modify properties of EditorTaskEditorTask•• Add code to show Identify tool Add code to show Identify tool

only to logged in usersonly to logged in users

If NotIf Not User.Identity.IsAuthenticated User.Identity.IsAuthenticated ThenThenDimDim idTool idTool AsAs ToolbarItem = _ToolbarItem = _

Toolbar1.ToolbarItems.Find(Toolbar1.ToolbarItems.Find("MapIdentify""MapIdentify"))IfIf idTool idTool IsNot Nothing ThenIsNot Nothing Then

iidTool.Visible = dTool.Visible = FalseFalseEnd IfEnd If

End IfEnd If

Default.skinDefault.skin

Default.aspx.vbDefault.aspx.vb


Looking ahead to 9.3Looking ahead to 9.3

•• Goal: make it easier to apply Goal: make it easier to apply securitysecurity–– Still use standard ASP.NET Still use standard ASP.NET

securitysecurity

•• Configure security in ManagerConfigure security in Manager–– Configure permissions for services Configure permissions for services

and web applicationsand web applications•• Applies native ASP.NET securityApplies native ASP.NET security•• Supports any ASP.NET Supports any ASP.NET

membership/role providermembership/role provider–– Windows, SQL Server out of the Windows, SQL Server out of the

boxbox

–– Manage users and roles (groups)Manage users and roles (groups)•• If use SQL Server to store users If use SQL Server to store users

and rolesand roles


Looking ahead to 9.3Looking ahead to 9.3

•• Token serviceToken service–– Enhances security configuration for services and applicationsEnhances security configuration for services and applications

•• Enables authenticating users stored in a database or other custoEnables authenticating users stored in a database or other custom m locationlocation

•• Provides for centralized security server for federated serversProvides for centralized security server for federated servers–– Rather than duplicating users and roles across multiple serversRather than duplicating users and roles across multiple servers

–– Similar to ArcWeb Services token serviceSimilar to ArcWeb Services token service–– Client submits credentials, receives tokenClient submits credentials, receives token–– Client uses token for all service requestsClient uses token for all service requests


For more informationFor more information

•• ArcGIS Server HelpArcGIS Server Help–– Configuring security for servicesConfiguring security for services

•• Books on ASP.NET and securityBooks on ASP.NET and security–– General texts with chapters on securityGeneral texts with chapters on security

•• Pro ASP.NET 2.0 in VB (C#) 2005Pro ASP.NET 2.0 in VB (C#) 2005MoroneyMoroney & MacDonald & MacDonald –– ApressApress, Inc., Inc.

–– Professional ASP.NET 2.0 Security, Professional ASP.NET 2.0 Security, Membership and Role ManagementMembership and Role Management•• Stefan Stefan SchackowSchackow –– WroxWrox PressPress

–– How to Break Web SoftwareHow to Break Web Software•• Andrews & Whittaker Andrews & Whittaker –– AddisonAddison--WesleyWesley

•• Websites on ASP.NETWebsites on ASP.NET–– http://www.asp.nethttp://www.asp.net -- CommunitiesCommunities


SummarySummary

•• Security tasksSecurity tasks•• Service securityService security

–– Local connectionsLocal connections–– Internet (web service) connectionsInternet (web service) connections

•• Website security in ASP.NETWebsite security in ASP.NET–– Windows authenticationWindows authentication–– Forms authenticationForms authentication

•• Controlling access to functionality with a websiteControlling access to functionality with a website•• ArcGIS Server 9.3 will enable configuring security in ArcGIS Server 9.3 will enable configuring security in

ManagerManager


Questions?Questions?

Please fill out the session surveyPlease fill out the session survey

securing arcgis server for the microsoft .net framework ... · esri. uc 2007 tech sessions 2...

Documents