Community
Select to view content in your preferred language

Login Screen for the Flexviewer

46420
121
03-15-2011 10:52 AM
andrewj_ca
by
Frequent Contributor
‎03-15-2011 10:52 AM
Just posted some code for a Flexviewer login screen.  I hope somebody can get some use from this.

http://www.arcgis.com/home/item.html?id=baebcaf317994d63902bc9735c0657e0
Tags (2)
0 Kudos
121 Replies
RobertScheitlin__GISP
by MVP Emeritus
MVP Emeritus
‎10-26-2011 08:00 AM
Greg,

   Yes changing it to visible.Login="false" does work as a workaround but If you are like me and want to load a specific Config.xml file based on the user that logs in then that is not a feasible workaround.
0 Kudos
GregSpiridonov
by
Occasional Contributor
‎10-26-2011 08:34 AM
that is originally what i was looking for as well.. just offereing a "one file edit" option for those not so code savy who want a login...

to me i would think a separate asp linking to flex would end up being more secure, but in the end it's pretty much the same idea.

as far as the config separation, i'm assuming you tie the xml to load in the xml for usernames?
0 Kudos
RobertScheitlin__GISP
by MVP Emeritus
MVP Emeritus
‎10-26-2011 08:41 AM
Greg,


   Yep, that's it exactly.
0 Kudos
SandeepTalasila
by
Occasional Contributor
‎10-26-2011 01:25 PM
Oh, solved the above. What I did was assign the IIS_users permissions to the Arcgis_Security app.. in IIS. And it worked. Got the hint from one of the previous replies in the thread. Thanks! And to get the siteUsage.log working, I had to give write permissions to IIS_users for that file.


Hello,
I have assigned the write permissions to IIS users and have changed the URL to my server. Still I am getting the "Internal Database Error" message. Could anyone help me with this.
Thanks,
0 Kudos
CurtWalker
by
Deactivated User
‎10-28-2011 05:42 AM
Robert and Greg,

I wanted to get your input on this topic of securing the Flex Viewer, specifically the possibility of using an asp.net wrapper.  Where I work we've been working on a secure asp.net portal for a couple of weeks.  At present the login prompt is successfully validating back to the user accounts that are created and managed in ArcGIS Server Manager and then redirecting to a specified URL for the Flex View app.  But we are stumped at the moment because it still doesn't allow secured services to be viewed in the Flex Viewer even though the necessary credentials have been provided.  I can login with my own account which is a member of the GIS Admin role and the asp.net portal then takes me to a Flex Viewer that serves a single secured service.  The data in that service is not visible.

We are really confused by this behavior, especially since we can login into the REST endpoint and view all secured services with no issues.  Do you have any insight as to what we're missing?

Frankly I go back and forth on whether this effort is justified.  Famous last words....but I don't know if there's a real threat from hackers wanting to steal data pertaining to projects nobody but the client and a handful of interested parties even know exists.  I think the more important concern is making sure client A can't accidentally access the maps and data of client B, and it seems like at least of a couple of login widgets provide that.

Regardless we really need to get our asp.net portal figured out asap.  Many thanks for any inisght you can provide.
0 Kudos
RobertScheitlin__GISP
by MVP Emeritus
MVP Emeritus
‎11-02-2011 05:11 AM
Curt,

   I don't work with any secure services at all so I have no input on that subject. I am only concerned with pseudo securing my Viewer App (you have to admit that there are NOT a lot of GIS hackers out there).
0 Kudos
CurtWalker
by
Deactivated User
‎11-04-2011 11:27 AM
Thanks Robert.  Yes I think the old addage "security by obscurity" applies here, but nevertheless we have some clients who can and will run a security audit using some methods I didn't even realize until the past couple of days when our network guys demonstrated how easy it would be to locate, acquire, and decompile the .swf thereby getting a valid token with which to hit the REST endpoint.

Right now we have a functional ASP.NET portal that secures access to the Flex app and we're working on a method to generate short-lived tokens on the fly with each successful login.  The config.xml gets written dynamically before the .swf parses it (in theory).  I've seen so many threads asking about this, but at the end of the day it's going to be in-house web development that gets it done rather than any build-in functionality from ESRI.
0 Kudos
HaniuHokkaido
by
Deactivated User
‎11-18-2011 12:59 AM
Dear all,

where can i find ArcGIS_Security folder ?

My login screen appears just for a few seconds then it dissapears by itself (as if there is a timer). Then after dissapear, I am able to see the web application.

Whats wrong ?

thanks
0 Kudos
grahamcooke
by
Regular Contributor
‎11-28-2011 12:39 AM
Hi,

I have managed to create an ASP.NET wrapper application for my flex viewer application. Users and user access to different basemaps is built into SQL tables in the GIS database, there is a helpdesk function where 1st line suppport team can edit/create users and manage their access to basemaps without developer intervention. Passwords are encrypted by the .net app before being written to the database. This was designed for intranet use only.

Once a user is verified, they are presented with a choice of basemaps to load for the flexviewer app (they can only choose one, but may be entitled to see several). The map url they choose is then passed from the .net application to the flex viewer by using URL params. The flex viewer is actually embedded in an aspx page that sits within the .NET application project. There are also some code changes you need to make to the flex viewer out-of-the-box code to enable it to read the map url passed from the .net application.

There is plenty of scope to take what I have created and extend it / edit it to do other user specific processing in the flex application (ie load certain config files for particular users).

If anyone is interested I can make  the .NET code available together with the stored procedures for creating the authorisation tables in SQLServer, but I would suggest that non-technical users and people with zero .NET/ SQL experience would maybe find this a little beyond their capability and should consult their development team. There is probably a much neater way to do the user authentication by using the built in .NET API's for user/role authorisation. However in our case we needed to be able to manage users who are outside the company and have no windows domain accounts with us, but are able to access our intranet and this was the path of least resistance.

Also please note, to make the application work properly, there are changes that need to be made at the flex end in order for the URL params passed from .NET wrapper to be read. There is definitely scope for this code to be played with to enable different configs to be loaded for different users or any other user specific actions to be executed in the flex application based on URL parameter info passed through.
0 Kudos
KevinCressy
by
Emerging Contributor
‎01-17-2012 01:51 AM
Any idea where I can down load this code?

I have clicked the original link but the page states that I do not have permission to view this area - even after I login with my ESRI Global account...
0 Kudos