Securing Services using the Spring Framework on 10.2

NicCampbell · ‎11-09-2013

I'm currently trying to use the spring security framework in order to provide the authentication and authorization for my organization's arcgis web services. At the moment we use ldap to secure our services but our business requirements have us looking for a more robust alternative.
I have tomcat on a redhat server that is currently running the web adaptor as well as a simple spring security project but I'm missing the part where I can make use of spring to secure the webservices. The web adaptor is running at http://<web server name>/arcgis/rest/services while the spring security is running at http://<web server name>/sampleSpringSecurity. The spring security does its job just fine for all paths that fall under sampleSpringSecurity, but that does me no good when it comes to securing the web adaptor. I'm experienced with java but my exposure to spring has been limited and my experience with web adaptors is almost nonexistent. Any suggestions would be greatly appreciated.

Thank You,

Nic

NicCampbell · ‎11-12-2013

Just so I'm on the same page here. You want to secure user access to making requests to your arcgis.war URL. Or are you trying to add security to an application that consumes the arcgis.war?

I ask because you have mentioned using tokens and also securing your web app down to the method level. The method level of your application or the method level of say an ArcGIS Geometry service?

I'll be securing access to arcgis.war URL (web adaptor). I'll probably hold off on the token generation unless the security testing indicates there's a vulnerability. If there is one, I'll use a token generated in arcmanager at https://myserver.example.com/arcgis/tokens/generateToken and use that token to access the arcgis services. That token will be read by the spring project and applied to the url the user requests, provided that user has access to it. As far as securing methods go, it would probably only be useful for SOEs. I may be wrong though. It might be possible to secure a method within the geometry service.

LeoDonahue · ‎11-12-2013

I'm not sure what using Spring Security "and" tokens buys you. They both restrict access to the arcgis web services based on username/password.

You could deploy arcgis.war and enable security on it using ArcGIS Server Manager and get the same effect. The user consuming ArcGIS Server web service would need to authenticate, and at that point, you should be under HTTPS.

This is why I asked if you are securing the ArcGIS web service or the application that consumes your ArcGIS web service.

Your app can always generate a token in the background and supply those credentials to a secure ArcGIS web service without the user of your app even knowing. However, I get the feeling that you also want to secure the "app", which is fine - I get it, but I think your solution is trending towards unnecessary complication by fielding requests to arcgis.war via Spring Security.

Spring Security secures your app.
ArcGIS Server and possibly the web container can secure your ArcGIS Web services.

NicCampbell · ‎11-12-2013

I'm not sure what using Spring Security "and" tokens buys you. They both restrict access to the arcgis web services based on username/password.

You could deploy arcgis.war and enable security on it using ArcGIS Server Manager and get the same effect. The user consuming ArcGIS Server web service would need to authenticate, and at that point, you should be under HTTPS.

This is why I asked if you are securing the ArcGIS web service or the application that consumes your ArcGIS web service.

Your app can always generate a token in the background and supply those credentials to a secure ArcGIS web service without the user of your app even knowing. However, I get the feeling that you also want to secure the "app", which is fine - I get it, but I think your solution is trending towards unnecessary complication by fielding requests to arcgis.war via Spring Security.

Spring Security secures your app.
ArcGIS Server and possibly the web container can secure your ArcGIS Web services.

ArcGIS server manager is great but it doesn't meet our business requirements. We'll need to provide a way for hundreds of users external to our company to login to our website. The big catch is that depending on what type of subscription they have with us, they'll be restricted to different areas of the web services. Yes, they could be added to various groups but that requires more manual effort than I want to put forth. This, and other requirements I won't bore you with, rules server manager out as an option.

LeoDonahue · ‎11-12-2013

ArcGIS server manager is great but it doesn't meet our business requirements.

I would "not" suggest using it to define/create users. It can be configured to authenticate users to LDAP or a database. You can always write a front end to let users register under a certain subscription, but that process should be manually reviewed anyway.

NicCampbell · ‎01-03-2014

Our web adaptor is now secured by spring security rather than LDAP using the ideas posted previously in this thread. Just thought I'd post in case anyone was considering using it.

AdamKuran · ‎08-06-2014

Hi,

Similarily to you I have an Spring application that communicates to AGS. Application is secured but services are not and they have to.

I thought about some solutions and one of them is that you described as option 1.

As I suppose there is some kind of Single Sign On at least between your application and web adaptor (services)?

Is there a possibility to get your configuration? Or even some instructions?

(unfortunatelly I can't go to link that you wrote in post)

Adam