Adding Secured WMS and WFS Services from GeoServer to ArcGIS Online

Open Standards have enabled interoperability of systems. Nowadays we can see  proprietary solutions communicating successfully with open source software. A typical example is an organization publishing data via GeoServer and users using ArcGIS Online to create maps using data from GeoServer. 

Some GeoSolutions customers use this hybrid approach of publishing secured data in GeoServer and enabling customers to use their Esri tools. Terradex is one example.

GeoSolutions has enabled Terradex to published secure layers via GeoServer for contaminated land, conservation land and pipeline easements to increase the reliability of cleanup remedies reliant on institutional or engineering controls. Our customers use Esri’s ArcGIS online to access our data.  GeoSolutions expertise has enabled our business process to work seamlessly in this hybrid environment. 

Bob Wenzlau, CEO, Founder Terradex 

This blog provides guidance on how to enable this approach, in particular when trying to use data from secured services in GeoServer, including both OGC WMS and WFS services.

GeoServer is one of the most robust servers to publish geospatial data, including raster and vector data. Also GeoServer can be fine tuned to enable layers to only be accessible by a certain type of user. This is a typical use case when an organization has valuable data and has customers that are only interested in a particular area of interest or a particular layer.

Esri provides an ArcGIS Online platform that enables users to share maps. Some of these maps can come from external servers, for example from GeoServer. However, there are important things to consider when adding secured layers to ArcGIS Online.

Assume that the server is using basic HTTP Authentication (i.e. user and password credentials). In a default ArcGIS Online scenario, when adding an endpoint to ArcGIS Online, you will probably get a 401 error because the AOL portal does not enable a popup window or similar to allow users to provide their username and password. The following needs to be done:

• Properly configure GeoServer
• Properly configure ArcGIS Online

Properly configure GeoServer

To secure services (e.g. WMS and WFS) via GeoServer the following needs to be done:

• Enable HTTPS in the machine where GeoServer is installed. Nowadays HTTPS is preferred over HTTP, since it enables a secure handshake between the client and a server using SSL encryption. If just using HTTP the request (e.g. sending passwords would be done by simply using  base64 encoding, which can be easily guessed by doing reverse encoding.
• Enable Cross-Origin Resource Sharing (CORS) in GeoServer to allow JavaScript applications outside of your own domain, or web browsers, to use GeoServer.
• Limit the CRS exposed in the GeoServer setup. See more about this topic in the GeoServer manual. You basically need to tell GeoServer to only expose some SRSs. This will enable faster response when interacting with Esri’s clients, since Esri will read the capabilities document and will prepare the client to enable it with all the SRSs list in the GetCapabilities.  This setup is not a must, but will avoid having timeout errors that can be confused with security errors.

Limited SRS list configuration in GeoServer

Properly configure permission in GeoServer. GeoServer allows different types of security settings (see more at GeoSolutions training). This blog talks about a simple username/password authentication that works against a user/group service managed by GeoServer. This approach is fine as long as the number of users is low (<=50) and the frequency of new users to be created is small (e.g. one every week). If using other more robust security settings similar approaches need to be taken into account. By default, layers added to GeoServer are open to everybody, The process to secure  access based on services published by GeoServer (e.g.  WFS, WMS, WCS) and their specific operations (GetCapabilities, GetMap, and so on) is as follows:

1. Create  user group (for example associating a user group to a customer.
2. Create a role and associate the user group to the role.
3. Configure how the layers will be advertised. It might happen that the GetCapabilities is opened to anyone and that you may want to advertise or not the layer. This is done in the Data Security/Catalog mode configuration

Adding Secure Services in ArcGIS Online

Adding a secured service in ArcGIS Online is not easy in the default setup. The steps shown in this setup might not only apply to GeoServer but other geospatial servers that are secured. The ArcGIS Online help provides detailed information about usage of protected services. The process to allow users/customers to setup ArcGIS Online to access GeoServer secured layers   is as follows:

1. The Customer/user creates an organization in ArcGIS Online. This requires activating the ArcGIS Online subscription, setting and organization, and  adding members that can manage the content being created within the organization.
2. The customer accessing the data adds the server in the list of trusted servers in their AOL organization. 
3. The customer adds a layer from the web. The detail process is explained at Esri’s documentation website. It essentially involves going to the organization maps and adding an external layer.

Let us now try to add a WMS layer from a GeoServer instance that is protected with basic authentication. In the AOL Map to add and external WMS layer select the “Add” menu and then the submenu “Add Layer from Web”.

Adding a layer from the Web in ArcGIS Online

Then in the following window, you need to put the following information:

• Select “A WMS OGC Web Service” from the drop down menu
• Put the GetCapabilities URL of the protected GeoServer WMS you want to load data from
• Click on the “GET LAYERS” button to invoke the GetCapabilities request

ArcGIS Online Web Interface Asking for Credentials

A window with the layers that were parsed from the GeoServer response is presented.

AGOL reading the GetCapabilities from your GeoServer

then click on “Add Layer”, et voilà, you can see WMS layers from your protected GeoServer.

States layer from GeoServer shown in AGOL

 In conclusion, hybrid approaches are very popular nowadays to share data, powered of course by OGC standards. Consuming services that are secured can be a little bit tricky and requires configuration in the server side, the web container, and the client. At GeoSolutions we champion open source but more than that interoperability of systems that helps clients achieve their mission.

If you are interested in learning more about how we can help you get the best out of GeoServer (e.g. securing services, connecting to Esri clients, etc.) and help you achieve your needs through our Enterprise Support Services and Subscription Services  please contact us!

Cordially,
Luis, on behave of the  GeoSolutions team,