2010年8月27日周五understanding ArcGIS Server_secured services_8.4
Posted on 2010-08-27 08:36 星尘的天空 阅读(512) 评论(0) 编辑 收藏 举报/**********************************************************/
// Secured services
//
//Version 2.0
/*********************************************************/
You can set up ArcGIS Server Web services to permit only authorized users by using one of two authentication methods: token-based or HTTP (including Windows) authentication. The ArcGIS Server system administrator provides authentication information to connect to the secured service.
你可以设置ArcGIS Server web 服务允许仅仅授权的用户访问,授权的方法有两种:token-base或者HTTP授权。 ArcGISServr 系统管理员提供授权信息来连接安全服务
Token-based authentication services require that a token be included in each request for a map, query, and so on. A token is an encrypted(加密) string that is derived from information about the authorized user, date and time, and client making the request.
To use a service that requires tokens, you must obtain a token, then embed it in your application.
Token-based 授权服务要求没有对地图、查询等等的请求都要包含一个token。 Token 是一个加密的字符串,它是从关于授权用户、日期、时间的信息中衍生出来的,并且是有客户端创建这些请求的。
Obtaining a token
Get the URL of the service. The URL can be obtained from either your administrator or the Services Directory.
Visit the URL. You are routed to the Services Directory and may be prompted to log in.
Click Get Token in the upper right corner. If there is no Get Token link, the service is either not secured or it uses HTTP/Windows authentication.
The secure token service Web page appears. Click Generate.
A token appears. Copy this value and use it in your application. If no token appears or if an error message displays, ensure you are using HTTPS and that the values you entered are correct.
获取一个 token
获取一个指向服务的URL地址,URL地址可以从你的管理员或者Services 目录中获取。
访问这个URL。你路由到服务的路径并且可能会被提示登陆进入。
单击右上角的Get token,如果哪里没有Get token的连接,那么这个服务要么不是安全的要么她使用http:/window授权。
一个token 出现: 拷贝这个Value并在你的应用程序中使用。如果没有token出现或者出现一个错误的信息,那么确保你正在使用HTTPS或者却表你输入的值是正确的。
If your application is server based (ASP.NET, JSP, PHP, etc.), another option is to generate tokens dynamically at run time. You may use code to send, use, and renew the token and detect its timeout. See Working with the SOAP API on the ESRI Developer Network (EDN) or in your local Developer Help. You will also need to route requests through your server; for information, see Using the proxy page.
Using the token in your application
Once you have a valid token, add it to your application in one of three ways:
Include the token in the map request by setting the token property of the service:
如果你的应用程序是基于服务器的(ASP.NET.JSP,PHP等等),另一个选项是在运行状态下,动态下生成tokens. 你可能使用代码去发送、使用和重新获取token,并检查它是否过期。 在ESRI. DEVELOPER NETWORK或者在你的本地开发帮助中查看如何使用SOAP API工作。 你将需要通过你的服务器请求路由,更多信息,查看Using the proxy page.
<esri:ArcGISTiledMapServiceLayer
token="cggEFLivAeuzeEzxqYbt3XVXwJHtBINpCLQdq4YaxmOghNgsnB6iLWjlHsd7xomB"
url="http://server.arcgisonline.com/ArcGIS/rest/services/ESRI_StreetMap_World_2D/MapServer"/>
Include the token in the map request by adding the token property to the URL property of the service:
通过添加token属性到服务的URL属性的方法来在map中添加token。
<esri:ArcGISTiledMapServiceLayer
url="http://server.arcgisonline.com/ArcGIS/rest/services/ESRI_StreetMap_World_2D/MapServer?token=cggEFLivAeuzeEzxqYbt3XVXwJHtBINpCLQdq4YaxmOghNgsnB6iLWjlHsd7xomB"/>
Use a proxy page and include the token in the configuration for the proxy page.
使用一个代理(proxy)页面并将token包含在配置文件里面。
The proxy page option offers a high level of protection for the token, as end users do not have access to it. See Using the proxy page for more information.
Increased security
To increase security, use one of the methods below:
Proxy页面选项提供了一个对token的高级别保护,最终的用户没有访问它的权限。 查看 using the proxy page 获取更多的信息。
提高安全
为了提高安全,使用下面的一个方法:
Use HTTPS and require users to log in to your application. Your token contains the referrer URL of your application, so users should be unable to use the token in an application hosted at a different server. However, it is possible to spoof(欺骗) the referrer. Requiring a login and using HTTPS reduce this possibility.
使用 proxy(代理权)
使用HTTPS并要求用户登录到你的应用程序, 你的token包含你的应用程序引用网址,因此用户应该不能在部署在另外一台服务器上面的应用程序中使用token。尽管如此,还是能够欺骗引用。使用一个登录和使用HTTPS减少了这个可能性。
When a request is made to a service secured with HTTP authentication (including Windows authentication using IIS), the server issues an authentication challenge. The application or user must respond with appropriate user credentials(证明,资格;证明书,证件)using standard HTTP authentication methods.
There are two approaches to accessing a secured service using HTTP/Windows authentication:
Use server-side code (ASP.NET, JSP, PHP, etc.) to set an identity(身份;个性,特性;同一性,一致性) for the request. The server sends the request with the identity; the end user does not need to log in.
如果一个请求是发送到采用HTTP授权的服务,服务器就发送一个授权的质问(质疑)。 应用程序或者用户我就必须使用标准的HTTP授权方法用合适的用户资质证明来做出响应的反应。
这里有两种方法使用HTTP/Windows 授权的方式访问一个安全的方法。
使用服务器端的代码(ASP.NET,JSP,PHP等等)为请求设置一个身份。服务器发送带有身份的请求;最终的用户就没有必须登陆、
For more information, see Using the proxy page. For details on creating your own code in the proxy page to set the identity, see Working with the SOAP API at the ESRI Developer Network or in your local Developer Help.
Do not supply any credentials(证明,资格;证明书,证件) within your application. Instead, let the server challenge the browser user. The user will see a login dialog box in the browser and must provide a valid user name and password for the ArcGIS Server system that issued the challenge.
Work with the system administrator to ensure that end users have login information. If you are the administrator of the ArcGIS Server system, consult(请教;查阅,查看 vi.交换意见,商议) the Help, under the topic on securing services, for information on creating and managing user accounts.
更多的信息,查看:using the proxy page。 更多的关于在代理页面创建你自己的代码设置身份的详细信息,在ESRI DEVELOPER NETWORK或者你本地的用开发帮助中查看如何使用SOAP API工作
在你的应用程序中不要提供任何的的资质证明。 取而代之的是,让服务器去来质问浏览器用户。 用户将会在浏览器里面看到一个登陆框,并且必须提供一个ArcGIS Server系统可以使用的用户名称和用户密码来通过这个质问(质疑,也就是通过这个验证)。
使用系统管理员来保证最终的用户拥有登陆信息,如果你是ArcGIS Server系统的管理员,查看帮助文档、安全服务的话题来获取关于创建和管理用户账户的信息。
Tips
If HTTP Basic authentication is used, you should require that users employ HTTPS when accessing your application to prevent password interception(拦截;截击;截取;截住,截断;窃听). Other authentication methods, such as Digest or Integrated Windows Authentication, may protect user logins, but for maximum security, HTTPS is recommended when users are logging in.
如果使用 基于HTTP的授权,你应该要求用户在访问你的应用程序的时候使用HTTPS来防止密码拦截。其他的授权方法,比如:Digest or Integrated Windows Authentication,可能保护了用户登陆,但是对于最大的安全性,当用户登录的时候,推荐使用HTTPS .
Supplying end users with a user name and password is not appropriate when services from more than one ArcGIS Server system are used in an application, as multiple logins would be required. This limitation does not apply when using multiple services within the same ArcGIS Server system, since the challenge is issued for the entire server.
当来自多个ArcGIS Server系统的服务在一个引用程序中使用的时候,为最终的用户提供登录名称以及登录密码是很不合适的,这个时候要输入多个登录信息。当使用同一个ArcGIS Server系统的多个服务的时候,就没有这个限制了,因为那个质问适用于整个服务器。
Authentication is required only for the initial request to the secure service. This may result in a user encountering(vt./ n.遇到,遭遇,遭到) a login dialog box midway through a session. For example, if the user requests a nonsecure map, then tries to perform a query on a secure server, the login dialog box will appear only after the query.
授权仅仅对安全服务的初始请求中要求。 这个会导致一个用户在中途遇到一个登录对话框。 比如;用户请求了一个没有安全设置的地图服务,然后视图在一个安全服务中执行查询,在查询结束后就会出现一个登录框。
To avoid this, send a request in the background to the ArcGIS Server system when the application starts, such as a simple REST request for service information. The user would be prompted to log in on startup rather than when using the application.
为了避免这个,当应用程序启动后,在后台向ArcGIS Server系统发送一个请求,比如:一个简单的服务信息请求。用户将会被提示登录进入而不是当使用应用程序的时候。
If you are the administrator of an ArcGIS Server system, you can restrict access to your ArcGIS Web services. Information on restricting access is available in ArcGIS Server Help and online at ESRI.
NOTE: The ArcGIS API for Flex supports basic use of secured services from ArcGIS Server 9.3. There is no support for ArcIMS secured services.
如果你是一个ArcGIS Server 系统的一个管理员,你可以限制对你的ArcGIS web 服务的访问。关于如何限制访问的信息在ArcGIS Server 帮助和ESRI在线中可以获取。
