FV 3.0 Disable Secure Service Login

SimonRoss_User · ‎07-01-2012

I've already posted this to an existing post (http://forums.arcgis.com/threads/54640-FV-3.0-and-Login) but thought I'd open separately so there's no confusion.

Just started working with FV 3.0 and having some issues with the new login popup for secured services.

Our existing applications (FV 2.5) are secured via an ASP form control. Credentials for the secure services are built into the proxy page. Currently with the new secure services login this causes a separate challenge for authentication. Ideally I'd just like to disable the new secure services challenge but can't seem to make this happen in the flexviewer source code. I've tried removing the IdentityManager.instance.enabled = true but this makes no difference. I still get the popup appear. Any ideas on how to customize the viewer to remove this?
Thanks

JosephAccardi · ‎07-09-2012

Joseph,

Is there any particular reason you cannot set up a proxy page - it's a very straightforward process to do and the best way to keep the user credentials for the services hidden. The help files give a great walkthrough of the setup process - takes about 10 minutes!

Simon, No, I don't have any particular reason for not using a proxy page. Can you point me in the direction of where I can find the walkthrough of the setup process? I did a search in the help section and I couldn't find it.

Thanks

SimonRoss_User · ‎07-09-2012

Simon, No, I don't have any particular reason for not using a proxy page. Can you point me in the direction of where I can find the walkthrough of the setup process? I did a search in the help section and I couldn't find it.

Thanks

Setup instructions are in the main API help here

http://help.arcgis.com/en/webapi/flex/help/index.html#/Using_the_proxy_page/017p0000000v000000/

After that you just need to make sure the proxy is referenced in your config.xml as described here

http://resources.arcgis.com/en/help/flex-viewer/concepts/index.html#/Using_a_proxy_page/01m30000000w...

SimonRoss_User · ‎07-09-2012

All - I have opened a new thread for a related issue with the secure services dialog popping up unexpectedly with the edit widget. Please follow progress here

http://forums.arcgis.com/threads/61828-Opening-Edit-Widget-causes-secure-service-challenge

JosephAccardi · ‎07-09-2012

Setup instructions are in the main API help here

http://help.arcgis.com/en/webapi/flex/help/index.html#/Using_the_proxy_page/017p0000000v000000/

After that you just need to make sure the proxy is referenced in your config.xml as described here

http://resources.arcgis.com/en/help/flex-viewer/concepts/Index.html#/Using_a_proxy_page/01m30000000w...

Simon, your application is authenticated through IIS (basic, digest, etc.), but your web services are secured using ArcGIS Server Manager built in identity store (not through domain or LDAP), correct? If so, do you have users and roles assigned to each service? I'm going to add a proxy page as you suggested but I'm alittle confused about how a user is authenticated through IIS and also provided permissions to consume secured web services from a signal login. All my users and roles are set on the local server account, I'm just not sure if I have to replicate it out to the built in identity store. Thanks for your help with this.

SimonRoss_User · ‎07-10-2012

Joseph - it sounds like you may be using ArcGIS Server 10.1 as you refer to the built in identity store. If you are I'm not sure exactly how this works at 10.1 but I presume it's very similar.

Earlier in this forum you'll see I attached a file proxy.zip. This contains both the ashx file (default from ESRI) and the proxy.config.

As shown in this proxy.config example

<serverUrl url="https://MYDOMAIN/ArcGIS/rest/services" //This works at the root level but can also be set to individual  folders or services if preferred               
               matchAll="true" //This indicates that all sub-folders/services from the url above can be accessed if the credentials match - set this to false if the url is set to a specific service only
        dynamicToken="true" //This indicates that it will create the token at runtime based on the username and password
        userName="MYUSER" //valid username with access to the service(s) required - does not need to be the same as the application login - need to be an identity that can access the service
        password="MYPASSWORD" //password for this username
               host="MYHOSTNAME">
</serverUrl>

JosephAccardi · ‎07-10-2012

Thank you Simon. I am using 10.1. I would assume that the username and password would have to be the same in IIS and in the AGS Built-in Store because the user is prompted to log into the application with his/her IIS local domain credentials. Once the user passes the IIS authentication, I would assume AGS Built-in Store would not recognize the credentials if they were different and prompt the user to supply an additional set of credentials in order to view the secured service(s) that he/she has permissions to. This is all speculation at this point since I have not set up the proxy page yet. I'm going to apply it today and see what happens.

Quick question about the proxy config code. I have about 15-18 users of my FV 3.0 application. How do I enter in multiple usernames and passwords into the code?

Thank you again for your help with this.

Joe

SimonRoss_User · ‎07-10-2012

Joseph, what basically happens when the proxy is working is this:
1. User goes to the viewer web page and is prompted for their login credentials (in your case windows but type really doesn't matter)
2. When their credentials are accepted the viewer opens and loads the services and map configuration as listed in config.xml
3. Let's say you have MapServiceA in your viewer which is a secured service (in your config.xml you have specified the location of the proxy page in the httpproxy tag and selected useproxy="true" in the layer xml tag)
4. The application makes a request to the proxy page to access MapServiceA (it does not transfer any user credentials)
5. The proxy page checks if the requested url can be accessed from that site (proxy.config url setting)
6. In order to successfully make the request it needs a token for the service - it uses the username and password in the proxy.config to do this. Therefore you only need ONE set of user credentials in the proxy.config - these can be from a different identity store from the application login.
7. If the user credentials are ok it generates a token to successfully access the secured service

So you don't need to worry about multiple user logins in the proxy.config. This page can only be accessed after login to your application so the user has already proved their credentials

JosephAccardi · ‎07-10-2012

Simon, this is an excellent breakdown. Thank you very much. I am much more comfortable applying a proxy page to my application now. I (hopefully) have one last question for you. One of my secured services is a feature service with Editor Tracking enabled. One of the issues I've been having is that the 'Created User' attribute is not being generated since my services are not secure. Once I secure my services and use the proxy page, will the username I use in the proxy config file be the name that will be generated when features are created by all users? No worries if you're not sure. I will apply the proxy and see what happens. Thanks again for all your help.

SimonRoss_User · ‎07-10-2012

Great question! I don't know the answer as we haven't tested that yet on our 10.1 testing server but definitely somethign we'll be interested in. Please post up how you get on with that
cheers

Simon

JosephAccardi · ‎07-10-2012

Simon, after working on the Proxy Page all afternoon, I can't get it to pass the token automatically and not prompt the user for credentials after the user has logged into the site. I�??ve attached config and both proxy files. If you have a chance, could you please let me know if you see anything obviously wrong with my set up? The user that I am using in the proxy.config file has permissions to access one of the secured services in the folder listed in the �??serverurl�?? link. I�??m using our external url as the domain which points to our internal server. Also the host name is the name of the internal server, correct?

I may be having the same problem you did which lead you to start this thread. I noticed that you fixed the problem by editing an mxml file. I used the complied FV app to create my site if that makes any difference.

Thanks,
Joe