Secure access to GIS resources in the portal |
SuperMap iPortal provides a variety of security mechanisms for the resources (data, maps, services, scenes, etc.) registered in the portal by users. HTTP Form-based user authentication ensures the security of protected resources in the portal. iPortal also provides two authentication mechanisms based on Token and Resource Key to ensure the security of accessing service resources in the portal through REST and Web Application. The above three authentication mechanisms are described in detail below:
SuperMap iPortal provides a user authentication method based on HTTP Form. The resources with access permissions except for the public resources, which can be accessed anonymously, can only be accessed after login.
In iPortal, when users access protected resources, the resource page will automatically jump to the login interface (http://localhost:8190/iportal/web-ui/login). Enter the correct username and password, then you can access the GIS resources in the portal to which you have access. The browser will record the login cookie information, and the successive requests will automatically carry the cookie information, so there is no need to log in again.
In addition, it also supports login via accessing the login resource through the REST approach. The user authentication method based on HTTP Form is easy-to-use and popular, but the weakness is the risk of user name and password leakage. So SuperMap iPortal also provides Token-based authentication and Resource Key-based authentication to ensure security when accessing GIS services in the portal.
SuperMap iPortal provides a Token-based user authentication mechanism so that users only need to provide a Token when accessing protected service resources, instead of a user name and password. A Token is a string of information that contains a username, expiration date, and some proprietary information and is encrypted with a shared key. The user needs to provide a user name and password when applying for a Token from iPortal, and the server will return the corresponding Token to the user after passing the verification.
When users access protected services, such as through REST, Web Application, etc., they only need to provide the correct Token to access related service resources. For users who access GIS services through Web Applications, this authentication method can effectively avoid the disclosure of server user accounts. Currently, all service types in the SuperMap iPortal service list (http://localhost:8091/iserver/services) support token-based authentication, including various REST service modules, OGC services, etc.
The overall process of acquiring and using Token in iPortal is the same as iServer. For details, please refer to iServer Token-based authentication:
In addition to the information entered by the user when obtaining the Token, the generation of the Token also requires the encryption key specified by the server. The system administrator can configure the shared key for Token generation. For details, please refer to Configuring the shared key of Token.
Similar to the Token-based authentication method, the service access authentication mechanism based on the Resource Key (resource key) requires users to provide a Resource Key when accessing protected service resources instead of their username and password. A Resource Key is the password identification of the service, which consists of 24 random letters and numbers.
The difference is that the Resource Key can control the access scope of services, that is, you can determine a Resource Key can only access some of your services not all of them. You can also control the access times of a specific service, that is, if the access quota of the key is exceeded, the key cannot access the service anymore.
When developing Web GIS applications, you can access service resources in the portal through service calls. After iPortal has enabled the service proxy(enabled by default), to access the service resources (including my private services, services shared with me, services in my department and groups) which require viewing permissions, first, you need to generate a key in iPortal, namely the Resource Key, then use the proxy service address (which can be viewed on the service details page) plus the Resource Key in your application to access resources. Currently, the types of services supported by Resource Key include SuperMap Rest services, OGC services, and ArcGIS REST services.
For a detailed introduction to the generation, use, and management of Resource Key, please refer to the My Keys.