Request for map image from a secured ArcGIS Server WMS service

67
1
11-25-2022 07:31 AM
MarkSmith
New Contributor III

Hello,

I have a map service published on my ArcGIS Server (10.8.1) and the service is secured using the tools within Server Manager.  I mainly use this service in JavaScript APIs making use of addProxyRule to pass all the map requests through a proxy page containing the necessary credentials.  This works great.

I now want to be able to make requests to the same secured service (which is WMS enabled) to return .png images. I have a third-party application that needs to consume the map as WMS.  At the moment this third-party application is using an unsecured WMS service and can successfully make requests a bit like this:

https://myServer/arcgis/services/MyService/MapServer/WMSServer?VERSION=1.3.0&REQUEST=Getmap&CRS=EPSG...

As expected, if I change the service name from MyService to MySecuredService I get a forbidden message.  I have tried creating a URL which is prefixed with my proxy page location like this:

https://myServer/proxy.ashx?https://myServer/arcgis/services/MySecuredService/MapServer/WMSServer?VE...

But this doesn’t work, either by design or because I’m doing it wrong, but making requests from a JS API to the ESRI REST endpoint of the secured service works through this proxy page, just not doing WMS by entering the URL in a web browser to test.  The unsecured service WMS map request works fine by testing the URL in a web browser.

Can anyone please help by explaining how I can get this third-part application to make WMS map image requests to the secured service?  There is very limited scope for modifying the third-party application, it simply has a config file where I can enter the base service URL for it to make the requests which is why I was hoping simply adding the proxy page to the start of the URL would work.  I have also tried hosting the proxy page with the application and on the ArcGIS Server server, and I’ve tested the allowedReferers isn’t an issue.

Thank you,

Mark.

0 Kudos
1 Reply
Scott_Tansley
Regular Contributor

I think your going to struggle.  

WMS is from the Open Geospatial Consortium with an emphasis on OPEN - freely available and no security.  The OGC standards (last time I checked) do not have a security specification.

some third party clients like QGIS have an understanding of HTTP Basic auth which is old and not too secure.  They also work with Integrated Windows Authentication. Esri no longer support HTTP Basic (with good reason) and IWA is available but will possibly change your workflows.  It’s IWA or ArcGIS Server security.  It would be worth investigating, but would need external users to be registered in your AD.  A much wider security decision would be needed.

the ASHX proxy is a proprietary Esri toolkit and you’re using it in the right way by the sounds of it.  It is designed to work with Esri viewers and APIs.  Through code you make them proxy aware.  

third party apps will have no knowledge of the ashx.  They will have no connectivity to it.

in saying all of this. Some third party apps like QGIS have plugins that allow you to connect to some Esri authentication methods, but not the ASHX route.

The resolution here is changing your security methods or changing the client.  It would be a nightmare and a significant security risk for Esri to allow connections from anything and everything. 

sorry, probably not what you want to read. But open and secure are quite literally opposite extremes in my experience. 

Scott Tansley
Consulting Architect (ArcGIS Enterprise)
https://www.linkedin.com/in/scotttansley/
0 Kudos