My First Secure Silverlight ArcGIS Application

I recently developed an application using the Silverlight API for ArcGIS Server (AGS). As with all things the requirements changed near the end of the project to require that the site be hosted offsite and be accessible via the Internet. Despite my desperate cries of, “Danger! Danger! The interwebs are unsafe.” My client had made up their collective minds and I had my orders: put it on the Internet and make it secure.

The first step was easy, secure all traffic between the Silverlight client and my web services that do all my data requests. One wildcard SSL cert later and I was all set to create as many secure websites as I could need.

Next, I had to figure out a way to make AGS keep its preverbal legs shut so it wouldn’t whore out all my client’s data over the tubes of the Internet. This is what I had to do to configure the server.

1. Install SSL certificate on server.
2. Install SQL Server to use as a Membership provider for AGS.
3. Use aspnet_regsql.exe to create the membership provider. Typically, this is located somewhere like this: C:\<windows dir>\Microsoft.NET\Framework\<version dir>\aspnet_regsql.exe
4. On AGS Manager -> Security -> Settings, change the location of my Security Stores from Windows to SQL server.
   • For SQL Express this just worked but for SQL Server I had to set up the NETWORK SERVICE account with permissions on my Aspnetdb database.
   • Also on SQL Express, for the name of the SQL database, I used the default .\SQLEXPRESS but for SQL Server, I had to use just the name of the server.
5. On AGS Manager -> Security -> Roles, add a new role.
6. On AGS Manager -> Security -> Users, add a new user to my role.
7. On AGS Manager -> Services -> Manage Services
   • Add a new folder from the Manage Folders menu. (This turned out to be very important)
   • Select that folder from the drop list.
   • From the Manage Folders menu, select Permissions. Removed “Everyone” and add your new role.
   • Added your map service using the “Add New Service” link while your new folder is selected in the drop list.
8. On AGS Manager -> Security -> Settings, enabl security.
   • To undo this, you have to modify your Server.dat file and change the <SecurityEnabled> tag from true to false.
9. Next generate a token. For my project I knew I was going to only call the map service from my proxy so I didn’t want it to expire.
   • https://<AGSSERVERNAME>/ArcGIS/tokens?request=getToken&username=<USERNAME>&password=<PASSWORD>&clientid=<WEBURL>
   • USERNAME and PASSWORD are for the credential that you set up in step 6.
   • WEBURL is the URL or IP address of the site that will host your application’s proxy page (e.g. site.domain.com). If you use the IP address, use the one that AGS will see. For example, if AGS is on the same server as your Proxy and both are behind a firewall, then use the private IP address assigned by your firewall. However, if your proxy and AGS will be on separate networks and will be communicating across the Internet, then you will use the public IP address that your proxy will communicate through.
10. Once you have a token, test is using this url:
    • https://<AGSSERVERNAME>/ArcGIS/rest/services/<FOLDERNAME>/<SERVICENAME>/MapServer?token=<TOKEN>

The next big chunk was modifying ESRI’s proxy to handle traffic a little smarter.

1. In proxy.config, I added an attributes to the serverUrl elements.
   • localURL – the url that the proxy could use to find the service without going out of the firewall
2. I modified proxy.ashx
   • Uses the localURL instead of the one passed in from the request.
   • Does error handling to verify the config file opened correctly
   • Allows for expired and incorrect SSL certificates (sometimes a legitimate SSL would fail for unknown reasons)

Next, I modified my application to use my proxy for all calls to the map service.

((ArcGISDynamicMapServiceLayer)esriMap.Layers[0]).ProxyURL = _viewModel.MapServiceProxyURL;
((ArcGISDynamicMapServiceLayer)esriMap.Layers[0]).Url = _viewModel.MapServiceURL;

It’s very important that you set the Layer’s ProxyURL property before setting its Url property. As soon as the Url property is set, the layer object makes the calls the service.

The last thing I did was to configure IIS Authentication. For some reason AGS made everything use Windows Authenitication. I had to change everything to anonymous only so that AGS could do the authentication.

References:

• ESRI Walkthrough on Implementing security with users and roles in SQL Server http://webhelp.esri.com/arcgisserver/9.3.1/dotNet/index.htm#users_roles_sql_server.htm
• ESRI AGS configuration files http://webhelp.esri.com/arcgisserver/9.3.1/dotNet/index.htm#cfg_file_security.htm
• ESRI SL Proxy Page http://resources.esri.com/help/9.3/arcgisserver/apis/silverlight/help/SLProxyPage.zip
• ESRI Secure services http://resources.esri.com/help/9.3/arcgisserver/apis/silverlight/help/?Secure_services.htm (good discussion of token services)
• ESRI blank layers fix http://blogs.esri.com/Dev/blogs/silverlightwpf/archive/2009/08/24/Troubleshooting-blank-layers.aspx (cross-domain limitations)
• Ignoring SSL Cert errors http://www.west-wind.com/weblog/posts/48909.aspx
• ESRI Configuring Token Service http://webhelp.esri.com/arcgisserver/9.3.1/dotnet/index.htm#config_token_service.htm
• ESRI Using secure services directly without proxy http://resources.esri.com/help/9.3/arcgisserver/adf/dotnet/developer/ArcGIS/SOAP/using_secure_services.htm
• ESRI Proxy Page for JS http://resources.esri.com/help/9.3/arcgisserver/apis/javascript/ve/help/Working%20with%20ArcGIS%20Server%20services/ProxyPage.htm

Thanks to @dbouwman and @Gmapdev for pointing me in the right direction!

Advertisement