Latest Contributions by DavidAskov

I have my GeoPortal 1.2.4 app all set up using connections to LDAP. Everything is working well security-wise, and now I want to enable single sign on. Without reading any documentation, I tried setting singleSignOn (in gpt.xml) to true to see what would happen. I am able to log in, and it shows my user name in the top with a welcome message and there is a logout link. After I navigate to any other page in the app (e.g.: click on "Search" tab), I am logged out. So, I decided I needed to research this a bit, and found these instructions: https://github.com/Esri/geoportal-server/wiki/Single-Sign-On#Modify_the_webxml_File Are those the correct instructions? We are using Tomcat, so I am following the Tomcat section in that documentation. The three sections in the docs are: 1) Modify the Tomcat server.xml File: The server.xml was already set up for LDAP before we started. We verified that everything was set up per the docs. As I said before, the connection to LDAP is working ok. No problems there - just trying to enable Single Sign On with other apps. 2) Update the geoportal gpt.xml file: Changed "false" to "true" - simple. 3) Modify the web.xml File: This is where I really ran into trouble. It tells us to uncomment certain sections, but our web.xml file looks NOTHING like the text in the instructions. Our security-constraint section looks like this:     <!--security-constraint>         <web-resource-collection>         <web-resource-name>Restricted content</web-resource-name>         <description>Restricted content</description>         <url-pattern>/Eros</url-pattern>         <url-pattern>/rest/usage/*</url-pattern>         <http-method>GET</http-method>         <http-method>POST</http-method>         <http-method>PUT</http-method>         <http-method>DELETE</http-method>       </web-resource-collection>         <user-data-constraint>         <transport-guarantee>CONFIDENTIAL</transport-guarantee>       </user-data-constraint>     </security-constraint--> Uncommenting this had no effect. I also tried copying the security-constraint from the docs into the file, but then we just get a Tomcat 403 error when we try to log in. Can anyone help me figure this out? Security seems to be working ok in the GeoPortal as a stand-alone app, so we just want to enable single sign on now. thanks! ... View more

Hi everyone. Here is my setup: -- I have my geoportal connecting just fine to my LDAP. -- I set <metadataAccessPolicy type="restricted"/> -- The <groups> tag is configured OK, and seems to be finding my groups in LDAP. Now, when I go to set an access level for a record, it shows me ALL the groups. Is there a way to get the <metadataManagementGroup> tags to specify to hide a given group? Some of them have to do with other apps, and are not relevant to metadata management. thanks, David ... View more

Every request to ArcGIS Server for a secured map service results in a query to LDAP. This is causing millions of lookup queries to go to our LDAP and periodically crashing it.  We have several web and mobile applications that all use 3 different tokens, and this accounts for about 90% of our map service traffic. Very few requests come in from individual user accounts. ArcGIS Server reads the token, figures out which user it is for, and sends a query to LDAP to see what roles the user has. It is asking LDAP the same question for the same user multiple times per second.  Suggestion: Make a setting for how long to store LDAP lookups in a cache and perhaps another setting for how many LDAP queries to hold in the cache.  We add and remove users from time to time, so a cache solution shouldn't require us to restart ArcGIS Server. We rarely change the roles a user has, so that could be cached for a longer time. If I could make ArcGIS Server cache the role lookup for even just 10 minutes, I estimate that would eliminate the need for 99.92% (I did the math) of our LDAP lookups.  I was told by tech support (incident 122519) that this may be possible in a web tier auth, but he also said this was something we'd have to figure out on our own and is not supported.  ... View more

PROBLEM: For map services secured with the ArcGIS Token Server, there is no KML export. The "Generate KML" links on the REST pages are missing. SUGGESTION: Make KML export available with the token-secured map services.  COMMENTS: I suspect this is because Google Earth doesn't know how to navigate the token server. I know Google Earth can use Basic authentication, so here are two ideas:  1) Something like the like proxy page solution (https://developers.arcgis.com/en/javascript/jshelp/ags_proxy.html) where I can generate a token and embed it in my page, and that connects through to KML. I then secure that page with the rest of my web applications.  2) Something like the old ArcIMS WMF or WFS connectors, where it is a separate app I install.  3) Something that enables Basic or Form-based auth or whatever Google Earth can navigate.  I would even be ok with building my own connector, but right now, there is nothing to connect to! As soon as I secure the map service (or it's folder), the KML export options are gone. ... View more

PROBLEM: For map services secured with the ArcGIS Token Server, there is no KML export. The "Generate KML" links on the REST pages are missing. SUGGESTION: Make KML export available with the token-secured map services.  COMMENTS: I suspect this is because Google Earth doesn't know how to navigate the token server. I know Google Earth can use Basic authentication, so here are two ideas:  1) Something like the like proxy page solution (https://developers.arcgis.com/en/javascript/jshelp/ags_proxy.html) where I can generate a token and embed it in my page, and that connects through to KML. I then secure that page with the rest of my web applications.  2) Something like the old ArcIMS WMF or WFS connectors, where it is a separate app I install.  3) Something that enables Basic or Form-based auth or whatever Google Earth can navigate.  I would even be ok with building my own connector, but right now, there is nothing to connect to! As soon as I secure the map service (or it's folder), the KML export options are gone. ... View more

We got our Geoportal running on Windows just fine under Tomcat. Our database is PostgreSQL, and it is on a separate machine. Now, we want to migrate this to a Tomcat app server running on CentOS (database is staying put). The installation doc for Linux that came with 1.2.2 shows only one tiny Linux-specific change related to harvesting. The geoportal website comes up ok, but when I do a search, I get two errors on the resulting web page. Error1: Could not get a csw search engine: Did not get key = local in repository com.esri.gpt.framework.context.ConfigurationException: A databaseReference has not been configured for connectionTag: Error2: Could not perform operation. In the logs, I see a stack trace error (see attached). Note that when I read this doc, it may not be the latest version, but apparently there are a lot of setup steps that are not in my 1.2.2 Linux documentation: http://www.esri.com/~/media/Files/Pdfs/library/whitepapers/pdfs/geoportal-server-setup-on-linux.pdf So, do I need to do all those steps, or did the new version make them unnecessary? Anything else I'd need to do? thanks! ... View more