2

这是一个复杂的问题,所以请耐心等待。

场景:使用 ASHX 代理将请求中继到 ArcGIS 服务器。尝试使用 ASP.NET 模拟,以便在向 ArcGIS 服务器发送请求时,代理使用登录的 ASP.NET 用户凭据。

问题:对 ArcGIS 服务器的代理请求被拒绝 401,即使我知道模拟帐户 (sean.ryan-B + sean.ryan) 确实具有访问权限。

有4台机器:

1. machine hosting proxy page.  I am logged in as: sean.ryan-B
2. a test machine. I am logged in as sean.ryan-B
3. my laptop. I am logged in as sean.ryan
4. the arcgis server.

All 4 machines are on the same domain.

web.config:
  <authentication mode="Windows"/>
   <identity impersonate="true" />  <!-- userName="EUROPE\sean.ryan-B" password="xxx" -->
  <authorization>
    <deny users="?"/>
  </authorization>

Test-1. Opening a test page, in same web app as proxy, via the proxy:
http://myHost.com/sean/ProxyAsp.Net/ArcGisProxy.ashx?http://myHost.com/sean/ProxyAsp.Net
[ok on all boxes 1-3]

This looks OK - the impersonation seems look OK, 
since with impersonation OFF:    WindowsIdentity.GetCurrent().Name = the AppPool account
    with impersonation ON:    WindowsIdentity.GetCurrent().Name = EUROPE\sean.ryan or EUROPE\sean.ryan-B

Test-2. opening an image that is hosted on the same IIS (but a different site), via the proxy:
http://myHost.com/sean/ProxyAsp.Net/ArcGisProxy.ashx?http://myHost.com:10400/sites/CaSPER/SiteAssets/CaSPER.jpg
[ok on boxes 1-3]

Test-3. opening the ArcGIS map URL, via the proxy:
http://myHost.com/sean/ProxyAsp.Net/ArcGisProxy.ashx?http://mapserver1.com/ArcGIS/rest/services/Global/2D_BaseMap_SurfaceGeology/MapServer?f=json&callback=dojo.io.script.jsonp_dojoIoScript1._jsonpCallback
[fails on boxes 2,3 but succeeds on the proxy host (box 1)!]

code for the ASHX code-behind:

    public partial class ArcGisProxy : IHttpHandler, IReadOnlySessionState //ASHX     implements IReadOnlySessionState in order to be able to read from session
    {
        public void ProcessRequest(HttpContext context)
        {
            try
            {
                HttpResponse response = context.Response;

                // Get the URL requested by the client (take the entire querystring at once
                //  to handle the case of the URL itself containing querystring parameters)
                string uri = context.Request.Url.Query;
                uri = uri.Substring(1); //the Substring(1) is to skip the ?, in order to get the request URL.

                System.Net.HttpWebRequest req = (System.Net.HttpWebRequest)WebRequest.Create(uri);

                {
                    req.Credentials = CredentialCache.DefaultCredentials; //this works on local box, with -B account.  this is the account the web browser is running under (rather than the account logged into CaSPER with, as ASHX has separate server session).

                    req.ImpersonationLevel = TokenImpersonationLevel.Impersonation;
                }

                //to turn off caching: req.CachePolicy = new RequestCachePolicy(RequestCacheLevel.NoCacheNoStore);
                req.Method = context.Request.HttpMethod;
                req.ServicePoint.Expect100Continue = false;
                req.Referer = context.Request.Headers["referer"];

                // Set body of request for POST requests
                req.Method = "GET";

                // Send the request to the server
                System.Net.WebResponse serverResponse = null;
                try
                {
                    serverResponse = req.GetResponse();
                }
                catch (System.Net.WebException webExc)
                {
                    //logger.Log(GetMyUrl(), webExc, context.Request);

                    response.StatusCode = 500;
                    response.StatusDescription = webExc.Status.ToString();
                    response.Write(webExc.ToString());
                    response.Write(webExc.Response);
                    response.Write("Username = " + context.User.Identity.Name + " " + context.User.Identity.IsAuthenticated + " " + context.User.Identity.AuthenticationType);
                    response.End();
                    return;
                }

                // Set up the response to the client
                ....
                    ......

                response.End();
            }
            catch (Exception ex)
            {
                throw;
            }
        }

        public bool IsReusable
        {
            get
            {
                return false;
            }
        }
    }

注意:以下更改意味着对地图服务器的代理请求确实成功:

a) 在 web.config 中设置身份,将用户名、密码显式设置为 sean.ryan-B 帐户:

-或者-

b) 将 App Pool 帐户设置为 sean.ryan-B 并在 web.config 文件中关闭模拟。

但是,这些更改对于生产来说是不可接受的。

问题似乎是: - ASP.NET 模拟对于托管在同一 IIS 上的测试页面 + 图像(测试 1 和 2)来说足够好,但对于地图服务器来说不够好。

据我所知,ArcGIS 地图服务器使用的是 Negotiate,然后是 Kerberos 身份验证。

使用 WireShark,我监测到一个成功的代理请求,发现:401 之后,代理使用 SPNEGO (Kerberos) 发送带有 AUTH 的 GET

有人对 ArcGIS 代理有类似的问题吗?

我的理论是,盒子 1 上的模拟“效果更好”,因为浏览器与代理在同一个盒子上运行。

是否可以限制 ArcGIS Server(或它正在使用的 IIS 站点)以防止接受模拟?

欢迎提出任何建议...... ps 很难通过这篇文章 - 必须将大部分内容格式化为代码,将其检测为源代码也是如此!

4

0 回答 0