Security Configuration

This section describes different modes for securing the App Status management backend service (Save State service).

By default, the Save State service it not secured. This means any user with access to the Save State service can interact with it in anonymous mode and is able to read, write and edit app states that are tagged to be visible by everyone. Already existing app states in the database that are restricted to certain users or apps cannot be accessed by anonymous users, even if the Save State service is not secured.

When the Save State service is secured, users have the possibility to log in (but are not required to do so, depending on your app).

There are three different visibility levels for each app state:

  • PRIVATE: The app state is only visible to the user who created it. Note that users must log in to create private app states.

  • GROUP: The app state is visible to all users that are members of the specified group. Users need to be logged in to access group-protected app states as well.

  • PUBLIC: That app state is visible to anybody, including anonymous users.

Configure security modes

Open the application.properties file for the Save State service webapp. By default, the Save State service’s security mode is controlled by the property security.mode. Therefore, if you use the same configuration file for map.apps and the Save State service, both webapps will be configured with same security mode.

If you want to set a security mode for the Save State service that differs from the security mode in map.apps, set the Save State service’s property savestate.security.mode.

security.mode=INTEGRATED

savestate.security.mode=AGOL

The following security modes are available for savestate.security.mode:

  • NONE: No protection. Viewing, creating, editing and deleting app states allowed for anonymous users.

  • INTEGRATED: Uses the simple security mechanism integrated in the Save State service. Edit and delete are only possible when the logged-in user has the "admin" role. You can set the user name and password for the admin user with the properties security.user.admin.name and security.user.admin.pw.

  • ONLY_AUTHN: Use this mode when you are operating the Save State service in connection with con terra security.manager. For more information follow the instructions in the map.apps documentation under "Installation and operation - Security - security.manager".

  • AGOL: This mode allows the users of the Save State service to log in with their ArcGIS Portal or arcgis.com credentials. ArcGIS Portal groups can be assigned to app states in order to limit access for groups of users.

AGOL security mode

When setting savestate.security.mode=AGOL you need to make some additional configuration.

Configure the Save State service

Open the Save State service’s application.properties file.

Set the URL to the ArcGIS Portal instance you want to use. By default this is https://www.arcgis.com.

security.integrated.agol.organization=https://www.arcgis.com

Configure map.apps

Open the application.properties file for the map.apps webapp and configure the URL for ArcGIS Portal:

# Replace the URL with the URL to your ArcGIS Portal instance.
esri.api.arcgisPortalUrl=https://www.arcgis.com

Client-side app configuration

map.apps SDI comes with an example app sdi_savestate-portal-auth. This app demonstrates how to configure user authentication with ArcGIS Portal and is a good starting point for creating your own custom app with ArcGIS Portal authentication.

Create a custom app with ArcGIS Portal authentication

These are the required steps to create an app with ArcGIS Portal authentication:

  1. In map.apps Manager open the "Apps" tab and click the "+"-button. Type a name for the app and complete the wizard. Finally, click the "App Editor" button.

  2. Add the following bundles to your app: authentication, agolauthn, portal-app-security

  3. In the App Editor click the button "Create new file". Give it the name app.js and add the following content:

    define(["dojo/_base/config", "esri/config"], function(_config, _config2) {
    _config = _interopRequireDefault(_config);
    _config2 = _interopRequireDefault(_config2);

    function _interopRequireDefault(obj) {
        return obj && obj.__esModule ? obj : {
            default: obj
        };
    }

    /*
    * Copyright (C) con terra GmbH
    */
    _config2.default.portalUrl = _config.default.ct.arcgisPortalUrl = "https://www.arcgis.com";
    _config2.default.oauthEnabled = _config.default.ct.oauthEnabled = true;
});

    At the bottom of the file, edit the property arcgisPortalUrl to the URL to your ArcGIS Portal instance.

  4. Click "Save".

  5. In the App Editor, open your app’s app.json file and add the require property to the load section. This property tells your app to load the app.js file you created in the previous step.

    {
    "load": {
        "require": [
            "${app}/app"
        ]
    }
}

  6. Still in the app.json file, add the following configuration for the sdi_appstatestore bundle to the existing bundles property:

    {
    "bundles": {
        "sdi_appstatestore": {
            "PortalAuthenticationForStore": {
                "componentEnabled": true
            }
        }
    }
}
Managing ArcGIS Portal app states as administrator

Private or group-protected app states created with ArcGIS Portal authentication are not shown in the map.apps Manager app states list. This is because map.apps Manager app does not support ArcGIS Portal authentication and therefore cannot display those app states.

To get over this problem, map.apps SDI comes with an app called sdi_savestate-manager-portal-auth that provides the same functionality as the regular app state managing tools in map.apps Manager.