Security Configuration
This section describes different modes for securing the App Status management backend service (Save State service).
By default, the Save State service it not secured. This means any user with access to the Save State service can interact with it in anonymous mode and is able to read, write and edit app states that are tagged to be visible by everyone. Already existing app states in the database that are restricted to certain users or apps cannot be accessed by anonymous users, even if the Save State service is not secured.
When the Save State service is secured, users have the possibility to log in (but are not required to do so, depending on your app).
There are three different visibility levels for each app state:
-
PRIVATE: The app state is only visible to the user who created it. Note that users must log in to create private app states.
-
GROUP: The app state is visible to all users that are members of the specified group. Users need to be logged in to access group-protected app states as well.
-
PUBLIC: That app state is visible to anybody, including anonymous users.
Configure security modes
Open the application.properties
file for the Save State service webapp.
By default, the Save State service’s security mode is controlled by the property security.mode
. Therefore, if you use the same configuration file for map.apps and the Save State service, both webapps will be configured with same security mode.
If you want to set a security mode for the Save State service that differs from the security mode in map.apps, set the Save State service’s property savestate.security.mode
.
security.mode=INTEGRATED
savestate.security.mode=AGOL
The following security modes are available for savestate.security.mode
:
-
NONE: No protection. Viewing, creating, editing and deleting app states allowed for anonymous users.
-
INTEGRATED: Uses the simple security mechanism integrated in the Save State service. Edit and delete are only possible when the logged-in user has the "admin" role. You can set the user name and password for the admin user with the properties
security.user.admin.name
andsecurity.user.admin.pw
. -
ONLY_AUTHN: Use this mode when you are operating the Save State service in connection with con terra security.manager. For more information follow the instructions in the map.apps documentation under "Installation and operation - Security - security.manager".
-
AGOL: This mode allows the users of the Save State service to log in with their ArcGIS Portal or arcgis.com credentials. ArcGIS Portal groups can be assigned to app states in order to limit access for groups of users.
AGOL security mode
When setting savestate.security.mode=AGOL
you need to make some additional configuration.
Configure the Save State service
Open the Save State service’s application.properties
file.
Set the URL to the ArcGIS Portal instance you want to use. By default this is https://www.arcgis.com.
security.integrated.agol.organization=https://www.arcgis.com
Configure map.apps
Open the application.properties
file for the map.apps webapp and configure the URL for ArcGIS Portal:
# Replace the URL with the URL to your ArcGIS Portal instance.
esri.api.arcgisPortalUrl=https://www.arcgis.com
Client-side app configuration
map.apps SDI comes with an example app sdi_savestate-portal-auth
.
This app demonstrates how to configure user authentication with ArcGIS Portal and is a good starting point for creating your own custom app with ArcGIS Portal authentication.
Create a custom app with ArcGIS Portal authentication
These are the required steps to create an app with ArcGIS Portal authentication:
-
In map.apps Manager open the "Apps" tab and click the "+"-button. Type a name for the app and complete the wizard. Finally, click the "App Editor" button.
-
Add the following bundles to your app:
authentication
,agolauthn
,portal-app-security
-
In the App Editor click the button "Create new file". Give it the name
app.js
and add the following content:define(["dojo/_base/config", "esri/config"], function(_config, _config2) { _config = _interopRequireDefault(_config); _config2 = _interopRequireDefault(_config2); function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } /* * Copyright (C) con terra GmbH */ _config2.default.portalUrl = _config.default.ct.arcgisPortalUrl = "https://www.arcgis.com"; _config2.default.oauthEnabled = _config.default.ct.oauthEnabled = true; });
At the bottom of the file, edit the property
arcgisPortalUrl
to the URL to your ArcGIS Portal instance. -
Click "Save".
-
In the App Editor, open your app’s
app.json
file and add therequire
property to theload
section. This property tells your app to load theapp.js
file you created in the previous step.{ "load": { "require": [ "${app}/app" ] } }
-
Still in the
app.json
file, add the following configuration for thesdi_appstatestore
bundle to the existingbundles
property:{ "bundles": { "sdi_appstatestore": { "PortalAuthenticationForStore": { "componentEnabled": true } } } }
Managing ArcGIS Portal app states as administrator
Private or group-protected app states created with ArcGIS Portal authentication are not shown in the map.apps Manager app states list. This is because map.apps Manager app does not support ArcGIS Portal authentication and therefore cannot display those app states.
To get over this problem, map.apps SDI comes with an app called sdi_savestate-manager-portal-auth
that provides the same functionality as the regular app state managing tools in map.apps Manager.