这是一个复杂的问题,所以请耐心等待。
场景:使用 ASHX 代理将请求中继到 ArcGIS 服务器。尝试使用 ASP.NET 模拟,以便在向 ArcGIS 服务器发送请求时,代理使用登录的 ASP.NET 用户凭据。
问题:对 ArcGIS 服务器的代理请求被拒绝 401,即使我知道模拟帐户 (sean.ryan-B + sean.ryan) 确实具有访问权限。
有4台机器:
1. machine hosting proxy page. I am logged in as: sean.ryan-B
2. a test machine. I am logged in as sean.ryan-B
3. my laptop. I am logged in as sean.ryan
4. the arcgis server.
All 4 machines are on the same domain.
web.config:
<authentication mode="Windows"/>
<identity impersonate="true" /> <!-- userName="EUROPE\sean.ryan-B" password="xxx" -->
<authorization>
<deny users="?"/>
</authorization>
Test-1. Opening a test page, in same web app as proxy, via the proxy:
http://myHost.com/sean/ProxyAsp.Net/ArcGisProxy.ashx?http://myHost.com/sean/ProxyAsp.Net
[ok on all boxes 1-3]
This looks OK - the impersonation seems look OK,
since with impersonation OFF: WindowsIdentity.GetCurrent().Name = the AppPool account
with impersonation ON: WindowsIdentity.GetCurrent().Name = EUROPE\sean.ryan or EUROPE\sean.ryan-B
Test-2. opening an image that is hosted on the same IIS (but a different site), via the proxy:
http://myHost.com/sean/ProxyAsp.Net/ArcGisProxy.ashx?http://myHost.com:10400/sites/CaSPER/SiteAssets/CaSPER.jpg
[ok on boxes 1-3]
Test-3. opening the ArcGIS map URL, via the proxy:
http://myHost.com/sean/ProxyAsp.Net/ArcGisProxy.ashx?http://mapserver1.com/ArcGIS/rest/services/Global/2D_BaseMap_SurfaceGeology/MapServer?f=json&callback=dojo.io.script.jsonp_dojoIoScript1._jsonpCallback
[fails on boxes 2,3 but succeeds on the proxy host (box 1)!]
code for the ASHX code-behind:
public partial class ArcGisProxy : IHttpHandler, IReadOnlySessionState //ASHX implements IReadOnlySessionState in order to be able to read from session
{
public void ProcessRequest(HttpContext context)
{
try
{
HttpResponse response = context.Response;
// Get the URL requested by the client (take the entire querystring at once
// to handle the case of the URL itself containing querystring parameters)
string uri = context.Request.Url.Query;
uri = uri.Substring(1); //the Substring(1) is to skip the ?, in order to get the request URL.
System.Net.HttpWebRequest req = (System.Net.HttpWebRequest)WebRequest.Create(uri);
{
req.Credentials = CredentialCache.DefaultCredentials; //this works on local box, with -B account. this is the account the web browser is running under (rather than the account logged into CaSPER with, as ASHX has separate server session).
req.ImpersonationLevel = TokenImpersonationLevel.Impersonation;
}
//to turn off caching: req.CachePolicy = new RequestCachePolicy(RequestCacheLevel.NoCacheNoStore);
req.Method = context.Request.HttpMethod;
req.ServicePoint.Expect100Continue = false;
req.Referer = context.Request.Headers["referer"];
// Set body of request for POST requests
req.Method = "GET";
// Send the request to the server
System.Net.WebResponse serverResponse = null;
try
{
serverResponse = req.GetResponse();
}
catch (System.Net.WebException webExc)
{
//logger.Log(GetMyUrl(), webExc, context.Request);
response.StatusCode = 500;
response.StatusDescription = webExc.Status.ToString();
response.Write(webExc.ToString());
response.Write(webExc.Response);
response.Write("Username = " + context.User.Identity.Name + " " + context.User.Identity.IsAuthenticated + " " + context.User.Identity.AuthenticationType);
response.End();
return;
}
// Set up the response to the client
....
......
response.End();
}
catch (Exception ex)
{
throw;
}
}
public bool IsReusable
{
get
{
return false;
}
}
}
注意:以下更改意味着对地图服务器的代理请求确实成功:
a) 在 web.config 中设置身份,将用户名、密码显式设置为 sean.ryan-B 帐户:
-或者-
b) 将 App Pool 帐户设置为 sean.ryan-B 并在 web.config 文件中关闭模拟。
但是,这些更改对于生产来说是不可接受的。
问题似乎是: - ASP.NET 模拟对于托管在同一 IIS 上的测试页面 + 图像(测试 1 和 2)来说足够好,但对于地图服务器来说不够好。
据我所知,ArcGIS 地图服务器使用的是 Negotiate,然后是 Kerberos 身份验证。
使用 WireShark,我监测到一个成功的代理请求,发现:401 之后,代理使用 SPNEGO (Kerberos) 发送带有 AUTH 的 GET
有人对 ArcGIS 代理有类似的问题吗?
我的理论是,盒子 1 上的模拟“效果更好”,因为浏览器与代理在同一个盒子上运行。
是否可以限制 ArcGIS Server(或它正在使用的 IIS 站点)以防止接受模拟?
欢迎提出任何建议...... ps 很难通过这篇文章 - 必须将大部分内容格式化为代码,将其检测为源代码也是如此!