Security configuration

This section describes different modes for securing the App Status management backend service (Save State Service).

By default, the Save State Service is not secured. Users with access to the service can interact with it in anonymous mode. They are able to read, write, and edit app states that are tagged to be visible by everyone. Already existing app states in the database that are restricted to certain users or apps cannot be accessed by anonymous users, even if the Save State Service is not secured.

When the Save State Service is secured, users have the possibility to log in, but they are not required to do so, depending on your app.

There are three different visibility levels for each app state:

PRIVATE: The app state is only visible to the user who created it. Note that users must log in to create private app states.
GROUP: The app state is visible to all users that are members of the specified group. Users need to be logged in to access group-protected app states as well.
PUBLIC: That app state is visible to anybody, including anonymous users.

Security modes

Open the application.properties file for the Save State Service webapp. By default, the Save State Service’s security mode is controlled by the property security.mode. Therefore, if you use the same configuration file for map.apps and the Save State Service, both webapps will be configured with the same security mode.

If you want to set a security mode for the Save State Service that differs from the security mode in map.apps, set the Save State Service’s property savestate.security.mode.

Here’s a sample from a common configuration file for map.apps and Save State.

# This configures the security mode for map.apps
security.mode=OAUTH

# This configures a different security mode for the Save State Service.
# You can remove this if both map.apps and Save State Service use the
# same security mode.
savestate.security.mode=NONE

The following security modes are available for security.mode or savestate.security.mode:

NONE: No protection.

Viewing, creating, editing and deleting app states allowed for anonymous users.
INTEGRATED: Uses the simple security mechanism integrated in the Save State Service.

Edit and delete are only possible when the logged-in user has the admin role. You can set the username and password for the admin user with the properties security.user.admin.name and security.user.admin.pw.
ONLY_AUTHN: Use this mode when you are operating the Save State Service in connection with security.manager.

For more information follow the instructions in the map.apps documentation.
OAUTH: This mode allows the users of the Save State Service to log in with their ArcGIS Portal or arcgis.com credentials.

ArcGIS Portal groups can be assigned to app states in order to limit access for groups of users.

Configure OAUTH

If you use the OAUTH security mode you need to do some additional configuration.

Configure map.apps
- Configure your map.apps instance to work with ArcGIS Enterprise portal as identity provider. Follow the map.apps Documentation ArcGIS Enterprise portal.
- Add the Save State REST endpoint to the security.oauth.tokenRules property in the map.apps application.properties:
  security.oauth.tokenRules=https://[HOST]:[PORT]/savestate
Configure the Save State service
- Open the Save State Service application.properties file.
- Provide the URL to the account/self endpoint of the map.apps instance that you use as your identity provider.
  security.oauth.self.service.url=https://[HOST]:[PORT]/mapapps/account/self
Create a custom app with OAUTH:
- In map.apps Manager open the Apps tab and create a new app.
- Open the App Editor.
- Add the authentication bundle to your app.
For each request made to the Save State service, the corresponding OAUTH access token will be appended to the Authorization header. The Save State service then validates the token and responds to the request accordingly.