Day 2 Implementing Security For ArcGIS Server .NET Solutions At The ESRI Developer Summit 2008

Security has been a big question when it comes to ArcGIS Server. We have a number of clients asking how to go about implementing simple security with ArcGIS Server. This was never easy in the past and a custom solution was required or IIS security but with ArcGIS Server 9.3, they have addressed this issue with some great options.

Using the ArcGIS Server Manager you are now able to enable and control security. The ArcGIS Server Manager enabled security for services and the API’s. ArcGIS Server 9.3 has role based security and makes use of the ASP.NET security framework. For services there is a new token service with service permission stored in the SOM.

ArcGIS Server 9.3 provides many options for storing your users. Basically you can store your users anywhere. Some of the options are:

Windows users (includes domain users, if the server is attached to the domain)
Microsoft SQL Server
Custom which includes other databases, XML files, LDAP, AD

Because security model uses the ASP.NET membership provider framework it makes it easy to extend it to use any other store. This is just a matter of acquiring another provider, setting this up and configuring ArcGIS Server to use this.

ArcGIS 9.3 as well as the other API’s has been updated to use the new security model. ArcGIS Explorer has also been upgraded. The same security model applies for .NET and Java.

Securing services follows a windows style of folder security.

If you are using one of the API’s and security has been enabled on the server, developers will have to request a token for use. This can be one from a web site that ESRI has supplied. Once the token is recieved, this can be appended to the URL in order to the access the resource.

To summarize:

Forms authentication for web applications
Token based authentication for services. The services include SOAP, REST, OGC, KML and the others that are exposed.