Community
Select to view content in your preferred language

Viewer for Flex 2.1 : How to use or add security mechanisms ?

542
5
11-05-2010 09:27 AM
skoteaskotea
by
New Contributor
‎11-05-2010 09:27 AM
Hi everyone,

I would like to implement security mechanisms on my ArcGIS Viewer for Flex 2.1 app (login / sign in, authentication, authorization, secure communication, ...)

I would like to start with authorization as described here : http://resources.arcgis.com/content/enterprisegis/10.0/authorization_mechanism


  • What ESRI tools and other tools do I need (ArcGIS Server + webserver, ArcSDE + RDBMS, programming language, IDE, ...)?

  • Where to start?

  • What documentation to read?

  • Where to find information and exemples?


Thanks in advance for your help.
Tags (2)
0 Kudos
5 Replies
skoteaskotea
by
New Contributor
‎11-09-2010 12:12 AM
<UP>
Someone with even basic information to know where to start

Thanks in advance.
0 Kudos
RobertScheitlin__GISP
by MVP Emeritus
MVP Emeritus
‎11-09-2010 03:31 AM
Skotea,

   I do not use this or any other type, but here is a link to something I found.

http://www.vipercreations.com/tutorials/Adobe%20Flex/28/
0 Kudos
skoteaskotea
by
New Contributor
‎11-09-2010 05:09 AM
Thank you Robert. I hoped that you give me some help. I will read this link carefully.

To go further, is there any specific method for GIS / layer view and edit authorization for ESRI tools in general and ArcGIS API for Flex in particular.

That is to say, how to allow only certain identified users:

  • to see or edit certain layers and not others?

  • to see or edit portions of layers corresponding to a specific criterion (Parcel ID, ownership

    • , city, ...)

For the Viewer for Flex 2.1, how should it be managed:

  • - using a specific config.xml depending on the user logged?

  • - using secure settings and services directly from GIS server side (what must be done on the Viewer for Flex then)?

  • - any other way?

  • - is there a standardized method for use with applications based on Viewer for Flex 2.1 or is it specific and must be managed differently for each application?

I hope that's understandable.
Thank you again.
0 Kudos
RobertScheitlin__GISP
by MVP Emeritus
MVP Emeritus
‎11-09-2010 05:29 AM
Skotea,

   As I mentioned, I do not use any security like this so I have limited knowledge of this area.

In FlexViewer 2.1 I would say that the best way to handle a portion of the security is to use different config files.  The issue you will have to overcome there is how to prevent access to a more privileged config file. I have heard of so handling this through a ASP.net front end that directs a user to a particular config based on login and access to the IIS directory that has those config files is protected through windows authentication.  

   If you secure your map services using ArcGIS Manager than in Flex you will have to use tokens to consume them. You will have to modify the FlexViewer to handle this. I can not give you any advice on this but I know people have do this in the past and posted on the forums so just search for "using secured map services" or something along those lines.

   There is no out of the box or standardized method to do any of this using FlexViewer, so you will have to develop this methods your self along with the code.

Once again I am not expert on this and have no experience in this area. I just came across that article and though I would pass it on.
0 Kudos
JonFisher
by
New Contributor III
‎12-02-2010 10:45 AM
Hello,

I'm trying to do the same thing. I really only want one user name and password to be able to log in and everyone else be locked out. I have this link from either an ESRI blog or an ESRI email from a while back. http://www.adobe.com/livedocs/flex/201/html/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_B...

I was really excited to try it and I thought it would be easy...then I realized I think they're talking about JAVA, and I'm using a Windows server 2008 with .net and IIS. So...I don't think that's going to work!

Can anyone from the ESRI flex team jump in...?


Count me in for people who would love to hear more about this. I can easily secure an entire Flex application using IIS, but that doesn't seem to work on an individual config file within the folder (e.g. set up different permissions for config-edit.xml vs. config.xml).

Also, I'm guessing that having an anonymous map service with editing enabled means that even if I secure my flex app, it would still be possible for someone else to submit edits to the data. That means I'll likely want two map services, one anonymous service for viewing (without edit privileges enabled), and one authenticated service (pointing to the same data albeit via a different oracle account) for editing. The authenticated map service will be called in Flex via a token embedded in a config file which is secured with IIS.

Does that sound right? Is there a good way to secure just the config-edit.xml file, and will the user be prompted to login when that file is called via <application URL>/index.html?config=config-edit.xml
?
0 Kudos