Security configuration
By default, the Save State Service is not secured. Users with access to the service can interact with it in anonymous mode. They are able to read, create, and edit app states that have public permissions assigned for the view and edit actions.
Already existing app states in the database that are restricted to certain users or apps cannot be accessed by anonymous users, even if the Save State Service is not secured.
When the Save State Service is secured, users have the possibility to log in, but they are not required to do so, depending on your app.
For more information on how to restrict access to app states for individual user roles, see the App Status Management bundle documentation.
Security modes
Open the application.properties file for the Save State Service webapp.
By default, the Save State Service’s security mode is controlled by the property security.mode.
Therefore, if you use the same configuration file for map.apps and the Save State Service, both webapps will be configured with the same security mode.
If you want to set a security mode for the Save State Service that differs from the security mode in map.apps, set the Save State Service’s property savestate.security.mode.
Here’s a sample from a common configuration file for map.apps and Save State.
# This configures the security mode for map.apps
security.mode=OAUTH
# This configures a different security mode for the Save State Service.
# You can remove this if both map.apps and Save State Service use the
# same security mode.
savestate.security.mode=NONEThe following security modes are available for security.mode or savestate.security.mode:
- NONE
-
No protection.
Viewing, creating, editing and deleting app states allowed for anonymous users.
- INTEGRATED
-
Uses the simple security mechanism integrated in the Save State Service.
Edit and delete are only possible when the logged-in user has the admin role. You can set the username and password for the admin user with the properties
security.user.admin.nameandsecurity.user.admin.pw. - ONLY_AUTHN
-
Use this mode when you are operating the Save State Service in connection with security.manager.
For more information follow the instructions in the map.apps documentation.
- OAUTH
-
This mode allows the users of the Save State Service to log in with their ArcGIS Portal or arcgis.com credentials.
ArcGIS Portal groups can be assigned to app states in order to limit access for groups of users.
Configure OAUTH
If you use the OAUTH security mode you need to do some additional configuration.
-
Configure map.apps
-
Configure your map.apps instance to work with ArcGIS Enterprise portal as identity provider. Follow the map.apps Documentation ArcGIS Enterprise portal.
-
Add the Save State REST endpoint to the
security.oauth.tokenRulesproperty in the map.appsapplication.properties:security.oauth.tokenRules=https://[HOST]:[PORT]/savestate
-
-
Configure the Save State service
-
Open the Save State Service
application.propertiesfile. -
Provide the URL to the
account/selfendpoint of the map.apps instance that you use as your identity provider.security.oauth.self.service.url=https://[HOST]:[PORT]/mapapps/account/self
-
-
Create a custom app with OAUTH:
-
In map.apps Manager open the Apps tab and create a new app.
-
Open the App Editor.
-
Add the
authenticationbundle to your app.
For each request made to the Save State service, the corresponding OAUTH access token will be appended to the Authorization header. The Save State service then validates the token and responds to the request accordingly.
-
Configuring the admin role
Registered users have certain user roles assigned. You can define one role that is interpreted as the administrator role. Administrative users have full access to all app states, i.e. they can create, view, edit, and delete any app state, independently of the permissions that are assigned to it.
The default role for administrative users is "maAdmin". So if the user has the maAdmin role, she is considered an administrator. You can change this by setting the following property in the application.properties file:
savestate.admin.role=maAdmin