make ArcGIS Desktop/Explorer more compatible with secure ArcGIS services

Idea created by huttarl on Aug 25, 2011
    New
    Score70
    • mattsil
    • huttarl
    • aaronf@gbcma.vic.gov.au
    • ssekkes
    • chandesris11
    • jwarzi
    • lsamson
    Right now (v10 sp1), ArcGIS Explorer and Desktop can't connect to secure map services over the web - HTTPS/SSL.
    At least, not in my experience: these clients send an initial HTTP POST request (containing a SOAP envelope) before an authenticated session is established.

    The server responds by forwarding the client to a login page, and once credentials are accepted and a session cookie is created, the client is forwarded back to the URL of the original request. But here's the rub: the forwarding process uses HTTP GET requests, and therefore the body of the original HTTP POST is lost.

    I believe this is typical for most HTTPS web servers, such as Apache's SSL module. If you try to fill out a form and submit its contents on a web site when you're not authenticated (e.g. your session has expired), you will get forwarded to a login page; but once you've entered your username and password, the data of your original POST will not be preserved, will it?

    Solution:

    AGD and AGX clients could make the initial connection (at least for https:// map services) using a simple GET request. This would allow the server to do its normal forwarding and session-establishing routine without having to be able to preserve a POST request body.

    Then, once a session cookie is in hand, the client can go ahead and POST its SOAP envelope to the map server, knowing that it can be handled easily because there is already an authenticated session.

    This would add value for enterprises and for commercial map service providers, because it would enable them to provide secure map service access over the internet. It would also increase ROI for map service developers, because the same secure services that would be used by a web client (e.g. Javascript/Flex/Silverlight) could then also be used by desktop clients. This also increases flexibility for end users, who can choose their client (web vs. desktop) based on their needs.