Security configuration for Save State Service

By default, the Save State Service is not secured. Users with access to the service can interact with it in anonymous mode. They are able to read, create, and edit app states that have public permissions assigned for the view and edit actions.

Already existing app states in the database that are restricted to certain users or apps cannot be accessed by anonymous users, even if the Save State Service is not secured.

When the Save State Service is secured, users have the possibility to log in.

For more information on how to restrict access to app states for individual user roles, see the App Status Management bundle documentation.

Security modes

The following security modes are available for security.mode or savestate.security.mode:

NONE

No protection.

Viewing, creating, editing and deleting app states allowed for anonymous users.

INTEGRATED

Uses the simple security mechanism integrated in the Save State Service.

Edit and delete are only possible when the logged-in user has the admin role.

ONLY_AUTHN

Use this mode when you are operating the Save State Service in connection with security.manager.

OAUTH

This mode allows the users of the Save State Service to log in with their ArcGIS Portal or ArcGIS Online credentials.

ArcGIS Portal groups can be assigned to app states in order to limit access for groups of users.

Configuration

Open the application.properties file for the Save State Service webapp. By default, the Save State Service’s security mode is controlled by the map.apps property security.mode. If you want to set a security mode for the Save State Service that differs from the security mode in map.apps, set the Save State Service’s property savestate.security.mode.

Here’s a sample from a common configuration file for map.apps and Save State.

# This configures the security mode for map.apps
security.mode=OAUTH

# This configures a different security mode for the Save State Service.
# You can remove this if both map.apps and Save State Service use the
# same security mode.
savestate.security.mode=NONE

Integrated

You can set the username and password for the admin user with the properties security.user.admin.name and security.user.admin.pw.

ONLY_AUTHN

For more information follow the instructions in the map.apps documentation.

OAUTH

If you use the OAUTH security mode you need to do some additional configuration.

  1. Configure map.apps

    • Configure your map.apps instance to work with ArcGIS Enterprise portal as identity provider. Follow the map.apps Documentation ArcGIS Enterprise portal.

    • Add the Save State REST endpoint to the security.oauth.tokenRules property in the map.apps application.properties:

      security.oauth.tokenRules=https://[HOST]:[PORT]/savestate

  2. Configure the Save State service

    • Open the Save State Service application.properties file.

    • Provide the URL to the account/self endpoint of the map.apps instance that you use as your identity provider.

      security.oauth.self.service.url=https://[HOST]:[PORT]/mapapps/account/self

  3. Create a custom app with OAUTH:

    • In map.apps Manager open the Apps tab and create a new app.

    • Open the App Editor.

    • Add the authentication bundle to your app.

    For each request made to the Save State service, the corresponding OAUTH access token will be appended to the Authorization header. The Save State service then validates the token and responds to the request accordingly.