With version 10.3.1, Esri introduced Server Object Interceptors (SOI) in ArcGIS for Server. SOIs are containers for additional logic applied to published services. So for security.manager, an SOI is a perfect environment to perform the enforcement of policies for ArcGIS services.
This figure shows the typical security.manager deployment: security.manager acts as a proxy between clients and ArcGIS for Server. So clients do not access the ArcGIS service endpoints directly, they first hit the corresponding security.manager endpoints instead. security.manager then performs the authentication of the requesting user, followed by the authorisation of the request. All authorised requests are then passed on to ArcGIS for Server.
In contrast to this, the following figure shows the SOI approach of security.manager:
The proxy component, being responsible for the enforcement, is not needed anymore. The enforcement is now done directly inside the SOI of the actual service. So clients will access the ArcGIS for Server endpoints directly, which significantly reduced the complexity of the deployment.
Such a security.manager SOI can now be activated for each service individually inside of the ArcGIS Server Manager. For services which do not need fine-grained security, the SOI activation can be omitted.
Preview at the Esri User Conference and at the Intergeo
This new technology is of importance not only for con terra. Also Esri Inc. used this first SOI implementation of a partner as a proof-of-concept within various technical sessions during the Esri User Conference in San Diego. con terra was invited to demonstrate this implementation in the "What's New in ArcGIS for Server" and the "Extending ArcGIS for Server" sessions, and talk about our experiences when implementing an SOI.
The German public will get a preview of this implementation during the Intergeo, the first product release is expected until the end of this year.
security.manager Roadmap
SOIs are an additional deployment option for security.manager. However, both variants, the proxy approach as well as the SOI implementation, have their specific advantages, so it depends on the actual customer setup, which approach fits better.
Currently, SOIs are only available for MapServer and its derivatives, while the established version of security.manager supports many more service types, including 3rd party OGC service implementations. Furthermore, services using caching (like tiled map services) cannot be supported by the SOI approach, since access to the cache does not touch the SOI.
There are also differences in terms of security.manager's deployment in actual customer environments. The proxy pattern, for instance, allows an independent scaling of GIS and security. Moreover, the proxy pattern fits well to certain system architectures, using the proxy component within a DMZ while ArcGIS for Server remains in an internal network section.
However, especially due to its integration into the ArcGIS Server Manager and the less complex deployment, the SOI approach can lead to a more homogeneous and easier to maintain system architecture.
For further information, please contact me directly!
RĂ¼diger is Product Owner for the security.manager and map.apps User Management products.