no way to secure exported developer edition of Experience Builder?

173
3
12-28-2021 12:47 PM
KeithFraley1
New Contributor II

we are tying to develop our own experience builder app using the export function developer edition.  We are finding that there is no way to secure the experience itself with esri authentication.  

Highlevel Summary:

  • create dev edition ExB
  • export to zip ExB app
  • load onto local webserver
  • Navigate to URL of ExB
  • Without being logged into my org I can still see static config of the ExB (things like images, titles, text summaries)
  • User does get prompted to login to see secure features (webmap, datagrid...) however a user that is not authenticated can still see status part of the ExB

Are we right to assume this is by design?  This seems like a major security concern and makes using ExB developer edition in any type of production sense highly unlikely.

 

Are we missing something?

3 Replies
Kishore
Occasional Contributor

@KeithFraley1  - The end exported product from EXB app is in simple HTML, JS and CSS files. You can secure the access of your web server to achieve what you want. In my case, we use IIS as web server. hence, we enabled windows authentication and disabled all other methods. Please remember if you enable windows authentication your ArcGIS enterprise must have Single-sign on enabled and also all users must be from your Active directory. Hope this helps you.

Regards,
Kishore
0 Kudos
KeithFraley1
New Contributor II

Thanks for your response,. I am thinking more with regard to an open to the web ExB that is using esri authentication to authenticate, when navigating to the url, a non authenticated person can still see parts of the ExB, wondering how we can prompt before any of the elements can be accessed

0 Kudos
DaveFullerton
Occasional Contributor III

I think what @Kishore is saying might be the simplest way to secure your information.  If you cannot use windows authentication, I suppose the user might end up entering 2 different sets of credentials to get going (and you would have to maintain those credentials too).  This would be ugly but maybe not unheard of.

Many of the widgets can connect to data, so you could design your ExB app to access all sensitive text by pulling it from ArcGIS Online (or your own hosted portal).  I think you could find a way to do that with images too, but I am not sure.  It sounds tedious.  Would this be something you would even consider @KeithFraley1 ?

Perhaps some theoretical use case examples of the content you want to secure would help get an answer to your question.  It might also help to know how much of this content you need to secure in a typical app.

I can't help more than that since we haven't done anything that needs to be secured yet, but I find your question very interesting and would like to know how we can simply rely on Esri authentication too.

 

0 Kudos