Web Adapter: Supporting a mix of public and private services

CoreyPuffalt · ‎02-27-2015

We've been trying to use ESRI's web adapter in conjunction with web-tier authentication with support for a mix of public and private services as per the documentation. However, the documentation is rather scant on details. We're deploying the web adapter to Tomcat/JBoss and have one adapter functioning correctly to access private services but have been unable to figure out how to configure the second web adapter appropriately to access our public services. The documentation says:

"Once you have installed and configured the first Web Adaptor, configure it to allow anonymous access. For instructions, consult the product documentation for your web server. Clients will use this Web Adaptor to access your site's public services."

Unfortunately, no technical details are provided here. We have configured the web adapter to allow anonymous access via Tomcat but that doesn't work. We get HTTP 403 (security) errors back when attempting to access all the web services. On the ArcGIS (10.1) Linux server, since we enabled Web Tier authentication the security option "Public, available to everyone" option is now disabled so it's not clear how to even configure our map services for public access!

Thanks,

Corey

CoreyPuffalt · ‎03-04-2015

In the end we opened up a support issue with ESRI with the final answer being that at ArcGIS Server (Linux) 10.1 this is not an officially supported configuration. At 10.2 and above I am told that it is possible to mark services as being publicly available with web tier authentication enabled (I have not verified this myself).

However, I was able to find a workaround to get this working on 10.1. The workaround is based on a thread asking about the same setup with IIS/Windows. Unfortunately, Tomcat/Linux doesn't have an "Anonymous Authentication" feature like IIS does but the same affect can be achieved with a bit of hackery. Assuming your public user (as explained in the other thread) is named 'anonymous' it is possible via a Servlet Filter to make it appear as if the user has authenticated:

@WebFilter(servletNames = "agswebadaptor")

public class AnonymousFilter implements Filter

{

private String user = "anonymous";

@Override

public void init(FilterConfig filterConfig) throws ServletException { }

@Override

public void destroy() { }

@Override

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException

{

chain.doFilter(new AnonymousRequestWrapper((HttpServletRequest) request, user), response);

}

private static final class AnonymousRequestWrapper extends HttpServletRequestWrapper

{

private final String user;

public AnonymousRequestWrapper(HttpServletRequest request, String username)

{

super(request);

this.user = username;

}

@Override

public String getRemoteUser() { return user; }

}

This ServletFilter will need to be added to the web adapter arcgis.war (unzip it and add the above compiled class to WEB-INF/classes) and the web.xml will need to be tweaked to use a Servlet 3.0 descriptor by replacing the first few lines with:

<?xml version="1.0" encoding="UTF-8"?>

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"

xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee

http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"

id="Web_Adaptor" version="3.0">

Once you've made the above modifications you can zip the arcgis.war back up and deploy it on Tomcat (I tested on Tomcat 7.0.59). When accessing this customized web adapter all requests to the ArcGIS Server will appear as authenticated to the 'anonymous' user (or whatever username you set the user variable to).

Hope this helps someone.

View solution in original post

CoreyPuffalt · ‎03-02-2015

Still searching for answers here. I found a relevant slide deck titled "Securing ArcGIS Services" from the 2014 Federal GIS Conference. Slide #31 suggests "Public / anonymous" access isn't possible using Web Tier authentication but then later Slide #34 shows that public & private services are supported via two Web Adapters (as suggested by the documentation). No further details are provided however.

Anyone?

CoreyPuffalt · ‎03-04-2015

In the end we opened up a support issue with ESRI with the final answer being that at ArcGIS Server (Linux) 10.1 this is not an officially supported configuration. At 10.2 and above I am told that it is possible to mark services as being publicly available with web tier authentication enabled (I have not verified this myself).

However, I was able to find a workaround to get this working on 10.1. The workaround is based on a thread asking about the same setup with IIS/Windows. Unfortunately, Tomcat/Linux doesn't have an "Anonymous Authentication" feature like IIS does but the same affect can be achieved with a bit of hackery. Assuming your public user (as explained in the other thread) is named 'anonymous' it is possible via a Servlet Filter to make it appear as if the user has authenticated:

@WebFilter(servletNames = "agswebadaptor")

public class AnonymousFilter implements Filter

{

private String user = "anonymous";

@Override

public void init(FilterConfig filterConfig) throws ServletException { }

@Override

public void destroy() { }

@Override

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException

{

chain.doFilter(new AnonymousRequestWrapper((HttpServletRequest) request, user), response);

}

private static final class AnonymousRequestWrapper extends HttpServletRequestWrapper

{

private final String user;

public AnonymousRequestWrapper(HttpServletRequest request, String username)

{

super(request);

this.user = username;

}

@Override

public String getRemoteUser() { return user; }

}

This ServletFilter will need to be added to the web adapter arcgis.war (unzip it and add the above compiled class to WEB-INF/classes) and the web.xml will need to be tweaked to use a Servlet 3.0 descriptor by replacing the first few lines with:

<?xml version="1.0" encoding="UTF-8"?>

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"

xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee

http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"

id="Web_Adaptor" version="3.0">

Once you've made the above modifications you can zip the arcgis.war back up and deploy it on Tomcat (I tested on Tomcat 7.0.59). When accessing this customized web adapter all requests to the ArcGIS Server will appear as authenticated to the 'anonymous' user (or whatever username you set the user variable to).

Hope this helps someone.

SebastienPetit · ‎03-05-2015

We had the same kind of issue with ArcGIS Server 10.2.2

We wanted to have some private services and public services.

All accessible via a reverse proxy and using a local ldap for user authentication

IIS was not supporting this.

We tried two different solutions:

1) Developing our own tool acting like a webadaptor but this may be way to unstable

2) Using the webadapter on a tomcat.

There we had a bit more issue beacaue we found out that tomcat was pretty unstable on our Windows Server Environment.

Then we had to go for one more tier to have a linux box with a webadapter.

Today our solution is fine for us but a bit complex.

Secured servies are accessed via one address going to the linux box and redirected to the Windows Server (with ArcGIS Server on it)

Public services use another adress going directly to the windows box