HTML5 Viewer Add layer at run time

Permanently deleted user

15 Juni 2016 23:26

Hi all,

 

As you know, Silverlight viewer has an "Add Layer" tool in Data source tab which let you add map service at run time, but I couldn't find this tool in HTML5 Viewer, is there any way to do this in HTML5 Viewer?

 

Regards

0

• 

  Permanently deleted user

  16 Juni 2016 00:06

  Peter, We are deperately waiting on this too, and I think there is talk of it arriving at 2.7

   

  Basically it's on their high priority list based on the recent webinars and conference sessions

  0
• 

  Permanently deleted user

  16 Juni 2016 00:14

  Thanks Gareth for update.

  0
• 

  Permanently deleted user

  16 Juni 2016 00:20

  It's coming soon! In the 2.7 HTML5 viewer, you'll be able to search for and dynamically add map services and layers from ArcGIS Server and ArcGIS Online, as well as WMS layers.

  0
• 

  Permanently deleted user

  06 Juli 2017 22:22

  Hi Jordan, I know it has been little over year since you replied to this question. Yes, I can do search and dynamically add map services on 2.7 HTML5 viewer but in order for this happen, Map Server URL has to be registered under Service Connections from Geocortex Essential Manager.

  Is there any way I can to add map services from any Map Server without registering it's URL onto Service connections?

   

  Thanks

   

  Jaeyoung

  0
• 

  Permanently deleted user

  26 Juli 2017 18:20

  Hi, Jaeyoung. For security reasons, viewer users are not able to add map services without their servers' URLs first being whitelisted by an administrator in Manager.

  0
• 

  Permanently deleted user

  31 Juli 2017 01:09

  As an administrator, I don't have an issue if my users want to add map services from external providers, as they could previously with the Silverlight viewer.

   

  Could you please elaborate on the security reasons why we should not allow this, and is there a way that I can allow it if we as a business decide that the risk is outweighed by the benefit?

  0
• 

  Ryan Cooney

  23 September 2017 05:52

  Hi Lindsay,

   

  When the ArcGIS JavaScript API loads a map service from a different domain than the viewer it evaluates whatever JavaScript code happens to be at the map service URL. It uses a process called JSONP to do this. If the URL is not a trusted source this is very risky.

   

  If the map service URL happens to point to some malicious JavaScript code rather than an actual service what happens is the end user runs that code inside their web browser. The malicious code would typically do something like:

  • Obtain any security access tokens from the viewer application and use them or send them to an external service.
  • Issue HTTP requests to other services from the end user’s web browser. Since it is technically the end user that is making these HTTP requests whatever cookies or Windows credentials the user has may be part of these requests. This allows the malicious code to attack other systems on your intranet or the public internet using legitimate credentials.

  Here’s a real attack that we are able to demonstrate if we remove the whitelist protection. 

  1. I receive an email to check out a new free high resolution orthophoto base map. Sounds cool!
  2. I plug the map service URL into my viewer and it appears to load. Or maybe it doesn’t. It doesn’t really matter since the damage is already done.
  3. The loading of that URL actually ran some extra code that sent my security access token to another server on the internet and issued HTTP requests to delete features from an editable ArcGIS feature service on my intranet that is secured with Windows Integrated security.

  These style of attacks generally require an end user to do something they shouldn’t. However counting on end user behaviour to avoid an attack is not a good practice. We made the decision that Geocortex software would not provide the means for such an attack. Our approach, while restrictive, gives administrators control over what is considered a legitimate map service source.

   

  We have not provided an administrative switch for this. There are very few scenarios where it would be truly safe to open this up. We also know that there is a demand for this capability and that if it were to be possible it would be enabled in cases where it definitely should not be despite our warnings. 

   

  Silverlight was not prone to this problem (at least not in the same way) since the underlying technology would not run code that it downloaded from an untrusted source.

   

  ?I hope this provides some clarity on our reasoning even though it is not the answer many people are looking for.

   

  --Ryan

  0
• 

  Permanently deleted user

  25 September 2017 06:47

  Hi Ryan,

   

  Thanks for the comprehensive answer!

   

  We don't always get the detailed reasoning behind a change in functionality or an apparent limitation of the software, so it's great to be given a real world explanation.

   

  While I would still prefer to have the functionality that the Silverlight viewer offered, I can now appreciate the decision that Latitude have made.

   

  Cheers,

   

  Lindsay

  0

Du måste logga in om du vill lämna en kommentar.